To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to plugins.d/mandos-client.c
- browse files at revision 237.25.6
- compare with another revision
- download diff
- download tarball
- view history from revision 237.25.6
- Committer: Teddy Hogeborn
- Date: 2015-07-06 20:09:47 UTC
- mto: (237.7.307 trunk)
- mto: This revision was merged to the branch mainline in revision 325.
- Revision ID: teddy@recompile.se-20150706200947-w21u4eq74efgl6r5
Fix minor bugs and typos and add some more debug output.
* Makefile (install-client-nokey): Create plugin-helpers directory and
the mandos-client-iprouteadddel
helper program.
* initramfs-tools-hook (PLUGINHELPERDIR): Fix typo.
* plugins.d/mandos-client.c: Change terminology; routes are "deleted",
not "removed". All occurences changed.
(add_remove_local_route): Renamed to "add_delete_local_route". All
callers changed. Also pass "--debug" flag
to helper if in debug mode.
(add_local_route): Add debugging output.
(remove_local_route): Renamed to "delete_local_route". All callers
changed. Also pass "--debug" flag to helper
if in debug mode.
(start_mandos_communication): Add debug output when adding route.
* Makefile (install-client-nokey): Create plugin-helpers directory and
the mandos-client-iprouteadddel
helper program.
* initramfs-tools-hook (PLUGINHELPERDIR): Fix typo.
* plugins.d/mandos-client.c: Change terminology; routes are "deleted",
not "removed". All occurences changed.
(add_remove_local_route): Renamed to "add_delete_local_route". All
callers changed. Also pass "--debug" flag
to helper if in debug mode.
(add_local_route): Add debugging output.
(remove_local_route): Renamed to "delete_local_route". All callers
changed. Also pass "--debug" flag to helper
if in debug mode.
(start_mandos_communication): Add debug output when adding route.
- files added:
- .bzr-builddeb
- debian
- debian/po
- debian/source
- debian/upstream
- network-hooks.d
- plugin-helpers
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
plugins.d/mandos-client.c
1
1
/* -*- coding: utf-8 -*- */
2
2
/*
3
* Mandos client - get and decrypt data from a Mandos server
3
* Mandos-client - get and decrypt data from a Mandos server
4
4
*
5
5
* This program is partly derived from an example program for an Avahi
6
6
* service browser, downloaded from
9
9
* "browse_callback", and parts of "main".
10
10
*
11
11
* Everything else is
12
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
12
* Copyright © 2008-2015 Teddy Hogeborn
13
* Copyright © 2008-2015 Björn Påhlsson
13
14
*
14
15
* This program is free software: you can redistribute it and/or
15
16
* modify it under the terms of the GNU General Public License as
25
26
* along with this program. If not, see
26
27
* <http://www.gnu.org/licenses/>.
27
28
*
28
* Contact the authors at <https://www.fukt.bsnet.se/~belorn/> and
29
* <https://www.fukt.bsnet.se/~teddy/>.
29
* Contact the authors at <mandos@recompile.se>.
30
30
*/
31
31
32
32
/* Needed by GPGME, specifically gpgme_data_seek() */
33
#ifndef _LARGEFILE_SOURCE
33
34
#define _LARGEFILE_SOURCE
35
#endif /* not _LARGEFILE_SOURCE */
36
#ifndef _FILE_OFFSET_BITS
34
37
#define _FILE_OFFSET_BITS 64
35
36
#include <stdio.h>
37
#include <assert.h>
38
#include <stdlib.h>
39
#include <time.h>
40
#include <net/if.h> /* if_nametoindex */
41
38
#endif /* not _FILE_OFFSET_BITS */
39
40
#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), asprintf() */
41
42
#include <stdio.h> /* fprintf(), stderr, fwrite(),
43
stdout, ferror() */
44
#include <stdint.h> /* uint16_t, uint32_t, intptr_t */
45
#include <stddef.h> /* NULL, size_t, ssize_t */
46
#include <stdlib.h> /* free(), EXIT_SUCCESS, srand(),
47
strtof(), abort() */
48
#include <stdbool.h> /* bool, false, true */
49
#include <string.h> /* memset(), strcmp(), strlen(),
50
strerror(), asprintf(), strcpy() */
51
#include <sys/ioctl.h> /* ioctl */
52
#include <sys/types.h> /* socket(), inet_pton(), sockaddr,
53
sockaddr_in6, PF_INET6,
54
SOCK_STREAM, uid_t, gid_t, open(),
55
opendir(), DIR */
56
#include <sys/stat.h> /* open(), S_ISREG */
57
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
58
inet_pton(), connect(),
59
getnameinfo() */
60
#include <fcntl.h> /* open(), unlinkat() */
61
#include <dirent.h> /* opendir(), struct dirent, readdir()
62
*/
63
#include <inttypes.h> /* PRIu16, PRIdMAX, intmax_t,
64
strtoimax() */
65
#include <errno.h> /* perror(), errno,
66
program_invocation_short_name */
67
#include <time.h> /* nanosleep(), time(), sleep() */
68
#include <net/if.h> /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP,
69
SIOCSIFFLAGS, if_indextoname(),
70
if_nametoindex(), IF_NAMESIZE */
71
#include <netinet/in.h> /* IN6_IS_ADDR_LINKLOCAL,
72
INET_ADDRSTRLEN, INET6_ADDRSTRLEN
73
*/
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
75
getuid(), getgid(), seteuid(),
76
setgid(), pause(), _exit(),
77
unlinkat() */
78
#include <arpa/inet.h> /* inet_pton(), htons() */
79
#include <iso646.h> /* not, or, and */
80
#include <argp.h> /* struct argp_option, error_t, struct
81
argp_state, struct argp,
82
argp_parse(), ARGP_KEY_ARG,
83
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
84
#include <signal.h> /* sigemptyset(), sigaddset(),
85
sigaction(), SIGTERM, sig_atomic_t,
86
raise() */
87
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
88
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
89
#include <sys/wait.h> /* waitpid(), WIFEXITED(),
90
WEXITSTATUS(), WTERMSIG() */
91
#include <grp.h> /* setgroups() */
92
#include <argz.h> /* argz_add_sep(), argz_next(),
93
argz_delete(), argz_append(),
94
argz_stringify(), argz_add(),
95
argz_count() */
96
#include <netdb.h> /* getnameinfo(), NI_NUMERICHOST,
97
EAI_SYSTEM, gai_strerror() */
98
99
#ifdef __linux__
100
#include <sys/klog.h> /* klogctl() */
101
#endif /* __linux__ */
102
103
/* Avahi */
104
/* All Avahi types, constants and functions
105
Avahi*, avahi_*,
106
AVAHI_* */
42
107
#include <avahi-core/core.h>
43
108
#include <avahi-core/lookup.h>
44
109
#include <avahi-core/log.h>
46
111
#include <avahi-common/malloc.h>
47
112
#include <avahi-common/error.h>
48
113
49
//mandos client part
50
#include <sys/types.h> /* socket(), inet_pton() */
51
#include <sys/socket.h> /* socket(), struct sockaddr_in6,
52
struct in6_addr, inet_pton() */
53
#include <gnutls/gnutls.h> /* All GnuTLS stuff */
54
#include <gnutls/openpgp.h> /* GnuTLS with openpgp stuff */
55
56
#include <unistd.h> /* close() */
57
#include <netinet/in.h>
58
#include <stdbool.h> /* true */
59
#include <string.h> /* memset */
60
#include <arpa/inet.h> /* inet_pton() */
61
#include <iso646.h> /* not */
62
63
// gpgme
64
#include <errno.h> /* perror() */
65
#include <gpgme.h>
66
67
// getopt long
68
#include <getopt.h>
69
70
#ifndef CERT_ROOT
71
#define CERT_ROOT "/conf/conf.d/cryptkeyreq/"
72
#endif
73
#define CERTFILE CERT_ROOT "openpgp-client.txt"
74
#define KEYFILE CERT_ROOT "openpgp-client-key.txt"
114
/* GnuTLS */
115
#include <gnutls/gnutls.h> /* All GnuTLS types, constants and
116
functions:
117
gnutls_*
118
init_gnutls_session(),
119
GNUTLS_* */
120
#include <gnutls/openpgp.h>
121
/* gnutls_certificate_set_openpgp_key_file(),
122
GNUTLS_OPENPGP_FMT_BASE64 */
123
124
/* GPGME */
125
#include <gpgme.h> /* All GPGME types, constants and
126
functions:
127
gpgme_*
128
GPGME_PROTOCOL_OpenPGP,
129
GPG_ERR_NO_* */
130
75
131
#define BUFFER_SIZE 256
76
#define DH_BITS 1024
132
133
#define PATHDIR "/conf/conf.d/mandos"
134
#define SECKEY "seckey.txt"
135
#define PUBKEY "pubkey.txt"
136
#define HOOKDIR "/lib/mandos/network-hooks.d"
77
137
78
138
bool debug = false;
79
139
static const char mandos_protocol_version[] = "1";
140
const char *argp_program_version = "mandos-client " VERSION;
141
const char *argp_program_bug_address = "<mandos@recompile.se>";
142
static const char sys_class_net[] = "/sys/class/net";
143
char *connect_to = NULL;
144
const char *hookdir = HOOKDIR;
145
int hookdir_fd = -1;
146
uid_t uid = 65534;
147
gid_t gid = 65534;
148
149
/* Doubly linked list that need to be circularly linked when used */
150
typedef struct server{
151
const char *ip;
152
in_port_t port;
153
AvahiIfIndex if_index;
154
int af;
155
struct timespec last_seen;
156
struct server *next;
157
struct server *prev;
158
} server;
159
160
/* Used for passing in values through the Avahi callback functions */
80
161
typedef struct {
81
gnutls_session_t session;
162
AvahiServer *server;
82
163
gnutls_certificate_credentials_t cred;
164
unsigned int dh_bits;
83
165
gnutls_dh_params_t dh_params;
84
} encrypted_session;
85
86
87
ssize_t pgp_packet_decrypt (char *packet, size_t packet_size,
88
char **new_packet, const char *homedir){
89
gpgme_data_t dh_crypto, dh_plain;
166
const char *priority;
90
167
gpgme_ctx_t ctx;
168
server *current_server;
169
char *interfaces;
170
size_t interfaces_size;
171
} mandos_context;
172
173
/* global so signal handler can reach it*/
174
AvahiSimplePoll *simple_poll;
175
176
sig_atomic_t quit_now = 0;
177
int signal_received = 0;
178
179
/* Function to use when printing errors */
180
void perror_plus(const char *print_text){
181
int e = errno;
182
fprintf(stderr, "Mandos plugin %s: ",
183
program_invocation_short_name);
184
errno = e;
185
perror(print_text);
186
}
187
188
__attribute__((format (gnu_printf, 2, 3), nonnull))
189
int fprintf_plus(FILE *stream, const char *format, ...){
190
va_list ap;
191
va_start (ap, format);
192
193
TEMP_FAILURE_RETRY(fprintf(stream, "Mandos plugin %s: ",
194
program_invocation_short_name));
195
return (int)TEMP_FAILURE_RETRY(vfprintf(stream, format, ap));
196
}
197
198
/*
199
* Make additional room in "buffer" for at least BUFFER_SIZE more
200
* bytes. "buffer_capacity" is how much is currently allocated,
201
* "buffer_length" is how much is already used.
202
*/
203
__attribute__((nonnull, warn_unused_result))
204
size_t incbuffer(char **buffer, size_t buffer_length,
205
size_t buffer_capacity){
206
if(buffer_length + BUFFER_SIZE > buffer_capacity){
207
char *new_buf = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
208
if(new_buf == NULL){
209
int old_errno = errno;
210
free(*buffer);
211
errno = old_errno;
212
*buffer = NULL;
213
return 0;
214
}
215
*buffer = new_buf;
216
buffer_capacity += BUFFER_SIZE;
217
}
218
return buffer_capacity;
219
}
220
221
/* Add server to set of servers to retry periodically */
222
__attribute__((nonnull, warn_unused_result))
223
bool add_server(const char *ip, in_port_t port, AvahiIfIndex if_index,
224
int af, server **current_server){
225
int ret;
226
server *new_server = malloc(sizeof(server));
227
if(new_server == NULL){
228
perror_plus("malloc");
229
return false;
230
}
231
*new_server = (server){ .ip = strdup(ip),
232
.port = port,
233
.if_index = if_index,
234
.af = af };
235
if(new_server->ip == NULL){
236
perror_plus("strdup");
237
free(new_server);
238
return false;
239
}
240
ret = clock_gettime(CLOCK_MONOTONIC, &(new_server->last_seen));
241
if(ret == -1){
242
perror_plus("clock_gettime");
243
#ifdef __GNUC__
244
#pragma GCC diagnostic push
245
#pragma GCC diagnostic ignored "-Wcast-qual"
246
#endif
247
free((char *)(new_server->ip));
248
#ifdef __GNUC__
249
#pragma GCC diagnostic pop
250
#endif
251
free(new_server);
252
return false;
253
}
254
/* Special case of first server */
255
if(*current_server == NULL){
256
new_server->next = new_server;
257
new_server->prev = new_server;
258
*current_server = new_server;
259
} else {
260
/* Place the new server last in the list */
261
new_server->next = *current_server;
262
new_server->prev = (*current_server)->prev;
263
new_server->prev->next = new_server;
264
(*current_server)->prev = new_server;
265
}
266
return true;
267
}
268
269
/*
270
* Initialize GPGME.
271
*/
272
__attribute__((nonnull, warn_unused_result))
273
static bool init_gpgme(const char * const seckey,
274
const char * const pubkey,
275
const char * const tempdir,
276
mandos_context *mc){
91
277
gpgme_error_t rc;
92
ssize_t ret;
93
ssize_t new_packet_capacity = 0;
94
ssize_t new_packet_length = 0;
95
278
gpgme_engine_info_t engine_info;
96
97
if (debug){
98
fprintf(stderr, "Trying to decrypt OpenPGP packet\n");
279
280
/*
281
* Helper function to insert pub and seckey to the engine keyring.
282
*/
283
bool import_key(const char * const filename){
284
int ret;
285
int fd;
286
gpgme_data_t pgp_data;
287
288
fd = (int)TEMP_FAILURE_RETRY(open(filename, O_RDONLY));
289
if(fd == -1){
290
perror_plus("open");
291
return false;
292
}
293
294
rc = gpgme_data_new_from_fd(&pgp_data, fd);
295
if(rc != GPG_ERR_NO_ERROR){
296
fprintf_plus(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
297
gpgme_strsource(rc), gpgme_strerror(rc));
298
return false;
299
}
300
301
rc = gpgme_op_import(mc->ctx, pgp_data);
302
if(rc != GPG_ERR_NO_ERROR){
303
fprintf_plus(stderr, "bad gpgme_op_import: %s: %s\n",
304
gpgme_strsource(rc), gpgme_strerror(rc));
305
return false;
306
}
307
308
ret = (int)TEMP_FAILURE_RETRY(close(fd));
309
if(ret == -1){
310
perror_plus("close");
311
}
312
gpgme_data_release(pgp_data);
313
return true;
314
}
315
316
if(debug){
317
fprintf_plus(stderr, "Initializing GPGME\n");
99
318
}
100
319
101
320
/* Init GPGME */
102
321
gpgme_check_version(NULL);
103
gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
322
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
323
if(rc != GPG_ERR_NO_ERROR){
324
fprintf_plus(stderr, "bad gpgme_engine_check_version: %s: %s\n",
325
gpgme_strsource(rc), gpgme_strerror(rc));
326
return false;
327
}
104
328
105
/* Set GPGME home directory */
106
rc = gpgme_get_engine_info (&engine_info);
107
if (rc != GPG_ERR_NO_ERROR){
108
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
109
gpgme_strsource(rc), gpgme_strerror(rc));
110
return -1;
329
/* Set GPGME home directory for the OpenPGP engine only */
330
rc = gpgme_get_engine_info(&engine_info);
331
if(rc != GPG_ERR_NO_ERROR){
332
fprintf_plus(stderr, "bad gpgme_get_engine_info: %s: %s\n",
333
gpgme_strsource(rc), gpgme_strerror(rc));
334
return false;
111
335
}
112
336
while(engine_info != NULL){
113
337
if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){
114
338
gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP,
115
engine_info->file_name, homedir);
339
engine_info->file_name, tempdir);
116
340
break;
117
341
}
118
342
engine_info = engine_info->next;
119
343
}
120
344
if(engine_info == NULL){
121
fprintf(stderr, "Could not set home dir to %s\n", homedir);
122
return -1;
123
}
124
125
/* Create new GPGME data buffer from packet buffer */
126
rc = gpgme_data_new_from_mem(&dh_crypto, packet, packet_size, 0);
127
if (rc != GPG_ERR_NO_ERROR){
128
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
129
gpgme_strsource(rc), gpgme_strerror(rc));
345
fprintf_plus(stderr, "Could not set GPGME home dir to %s\n",
346
tempdir);
347
return false;
348
}
349
350
/* Create new GPGME "context" */
351
rc = gpgme_new(&(mc->ctx));
352
if(rc != GPG_ERR_NO_ERROR){
353
fprintf_plus(stderr, "Mandos plugin mandos-client: "
354
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
355
gpgme_strerror(rc));
356
return false;
357
}
358
359
if(not import_key(pubkey) or not import_key(seckey)){
360
return false;
361
}
362
363
return true;
364
}
365
366
/*
367
* Decrypt OpenPGP data.
368
* Returns -1 on error
369
*/
370
__attribute__((nonnull, warn_unused_result))
371
static ssize_t pgp_packet_decrypt(const char *cryptotext,
372
size_t crypto_size,
373
char **plaintext,
374
mandos_context *mc){
375
gpgme_data_t dh_crypto, dh_plain;
376
gpgme_error_t rc;
377
ssize_t ret;
378
size_t plaintext_capacity = 0;
379
ssize_t plaintext_length = 0;
380
381
if(debug){
382
fprintf_plus(stderr, "Trying to decrypt OpenPGP data\n");
383
}
384
385
/* Create new GPGME data buffer from memory cryptotext */
386
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
387
0);
388
if(rc != GPG_ERR_NO_ERROR){
389
fprintf_plus(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
390
gpgme_strsource(rc), gpgme_strerror(rc));
130
391
return -1;
131
392
}
132
393
133
394
/* Create new empty GPGME data buffer for the plaintext */
134
395
rc = gpgme_data_new(&dh_plain);
135
if (rc != GPG_ERR_NO_ERROR){
136
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
137
gpgme_strsource(rc), gpgme_strerror(rc));
138
return -1;
139
}
140
141
/* Create new GPGME "context" */
142
rc = gpgme_new(&ctx);
143
if (rc != GPG_ERR_NO_ERROR){
144
fprintf(stderr, "bad gpgme_new: %s: %s\n",
145
gpgme_strsource(rc), gpgme_strerror(rc));
146
return -1;
147
}
148
149
/* Decrypt data from the FILE pointer to the plaintext data
150
buffer */
151
rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain);
152
if (rc != GPG_ERR_NO_ERROR){
153
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
154
gpgme_strsource(rc), gpgme_strerror(rc));
155
return -1;
156
}
157
158
if(debug){
159
fprintf(stderr, "Decryption of OpenPGP packet succeeded\n");
160
}
161
162
if (debug){
163
gpgme_decrypt_result_t result;
164
result = gpgme_op_decrypt_result(ctx);
165
if (result == NULL){
166
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
167
} else {
168
fprintf(stderr, "Unsupported algorithm: %s\n",
169
result->unsupported_algorithm);
170
fprintf(stderr, "Wrong key usage: %d\n",
171
result->wrong_key_usage);
172
if(result->file_name != NULL){
173
fprintf(stderr, "File name: %s\n", result->file_name);
174
}
175
gpgme_recipient_t recipient;
176
recipient = result->recipients;
177
if(recipient){
396
if(rc != GPG_ERR_NO_ERROR){
397
fprintf_plus(stderr, "Mandos plugin mandos-client: "
398
"bad gpgme_data_new: %s: %s\n",
399
gpgme_strsource(rc), gpgme_strerror(rc));
400
gpgme_data_release(dh_crypto);
401
return -1;
402
}
403
404
/* Decrypt data from the cryptotext data buffer to the plaintext
405
data buffer */
406
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
407
if(rc != GPG_ERR_NO_ERROR){
408
fprintf_plus(stderr, "bad gpgme_op_decrypt: %s: %s\n",
409
gpgme_strsource(rc), gpgme_strerror(rc));
410
plaintext_length = -1;
411
if(debug){
412
gpgme_decrypt_result_t result;
413
result = gpgme_op_decrypt_result(mc->ctx);
414
if(result == NULL){
415
fprintf_plus(stderr, "gpgme_op_decrypt_result failed\n");
416
} else {
417
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
418
result->unsupported_algorithm);
419
fprintf_plus(stderr, "Wrong key usage: %u\n",
420
result->wrong_key_usage);
421
if(result->file_name != NULL){
422
fprintf_plus(stderr, "File name: %s\n", result->file_name);
423
}
424
gpgme_recipient_t recipient;
425
recipient = result->recipients;
178
426
while(recipient != NULL){
179
fprintf(stderr, "Public key algorithm: %s\n",
180
gpgme_pubkey_algo_name(recipient->pubkey_algo));
181
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
182
fprintf(stderr, "Secret key available: %s\n",
183
recipient->status == GPG_ERR_NO_SECKEY
184
? "No" : "Yes");
427
fprintf_plus(stderr, "Public key algorithm: %s\n",
428
gpgme_pubkey_algo_name
429
(recipient->pubkey_algo));
430
fprintf_plus(stderr, "Key ID: %s\n", recipient->keyid);
431
fprintf_plus(stderr, "Secret key available: %s\n",
432
recipient->status == GPG_ERR_NO_SECKEY
433
? "No" : "Yes");
185
434
recipient = recipient->next;
186
435
}
187
436
}
188
437
}
438
goto decrypt_end;
189
439
}
190
440
191
/* Delete the GPGME FILE pointer cryptotext data buffer */
192
gpgme_data_release(dh_crypto);
441
if(debug){
442
fprintf_plus(stderr, "Decryption of OpenPGP data succeeded\n");
443
}
193
444
194
445
/* Seek back to the beginning of the GPGME plaintext data buffer */
195
gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET);
196
197
*new_packet = 0;
446
if(gpgme_data_seek(dh_plain, (off_t)0, SEEK_SET) == -1){
447
perror_plus("gpgme_data_seek");
448
plaintext_length = -1;
449
goto decrypt_end;
450
}
451
452
*plaintext = NULL;
198
453
while(true){
199
if (new_packet_length + BUFFER_SIZE > new_packet_capacity){
200
*new_packet = realloc(*new_packet,
201
(unsigned int)new_packet_capacity
202
+ BUFFER_SIZE);
203
if (*new_packet == NULL){
204
perror("realloc");
205
return -1;
206
}
207
new_packet_capacity += BUFFER_SIZE;
454
plaintext_capacity = incbuffer(plaintext,
455
(size_t)plaintext_length,
456
plaintext_capacity);
457
if(plaintext_capacity == 0){
458
perror_plus("incbuffer");
459
plaintext_length = -1;
460
goto decrypt_end;
208
461
}
209
462
210
ret = gpgme_data_read(dh_plain, *new_packet + new_packet_length,
463
ret = gpgme_data_read(dh_plain, *plaintext + plaintext_length,
211
464
BUFFER_SIZE);
212
465
/* Print the data, if any */
213
if (ret == 0){
466
if(ret == 0){
467
/* EOF */
214
468
break;
215
469
}
216
470
if(ret < 0){
217
perror("gpgme_data_read");
218
return -1;
219
}
220
new_packet_length += ret;
221
}
222
223
/* FIXME: check characters before printing to screen so to not print
224
terminal control characters */
225
/* if(debug){ */
226
/* fprintf(stderr, "decrypted password is: "); */
227
/* fwrite(*new_packet, 1, new_packet_length, stderr); */
228
/* fprintf(stderr, "\n"); */
229
/* } */
471
perror_plus("gpgme_data_read");
472
plaintext_length = -1;
473
goto decrypt_end;
474
}
475
plaintext_length += ret;
476
}
477
478
if(debug){
479
fprintf_plus(stderr, "Decrypted password is: ");
480
for(ssize_t i = 0; i < plaintext_length; i++){
481
fprintf(stderr, "%02hhX ", (*plaintext)[i]);
482
}
483
fprintf(stderr, "\n");
484
}
485
486
decrypt_end:
487
488
/* Delete the GPGME cryptotext data buffer */
489
gpgme_data_release(dh_crypto);
230
490
231
491
/* Delete the GPGME plaintext data buffer */
232
492
gpgme_data_release(dh_plain);
233
return new_packet_length;
493
return plaintext_length;
234
494
}
235
495
236
static const char * safer_gnutls_strerror (int value) {
237
const char *ret = gnutls_strerror (value);
238
if (ret == NULL)
496
__attribute__((warn_unused_result))
497
static const char *safer_gnutls_strerror(int value){
498
const char *ret = gnutls_strerror(value);
499
if(ret == NULL)
239
500
ret = "(unknown)";
240
501
return ret;
241
502
}
242
503
243
void debuggnutls(__attribute__((unused)) int level,
244
const char* string){
245
fprintf(stderr, "%s", string);
504
/* GnuTLS log function callback */
505
__attribute__((nonnull))
506
static void debuggnutls(__attribute__((unused)) int level,
507
const char* string){
508
fprintf_plus(stderr, "GnuTLS: %s", string);
246
509
}
247
510
248
int initgnutls(encrypted_session *es){
249
const char *err;
511
__attribute__((nonnull, warn_unused_result))
512
static int init_gnutls_global(const char *pubkeyfilename,
513
const char *seckeyfilename,
514
mandos_context *mc){
250
515
int ret;
251
516
252
517
if(debug){
253
fprintf(stderr, "Initializing GnuTLS\n");
518
fprintf_plus(stderr, "Initializing GnuTLS\n");
254
519
}
255
520
256
if ((ret = gnutls_global_init ())
257
!= GNUTLS_E_SUCCESS) {
258
fprintf (stderr, "global_init: %s\n", safer_gnutls_strerror(ret));
521
ret = gnutls_global_init();
522
if(ret != GNUTLS_E_SUCCESS){
523
fprintf_plus(stderr, "GnuTLS global_init: %s\n",
524
safer_gnutls_strerror(ret));
259
525
return -1;
260
526
}
261
262
if (debug){
527
528
if(debug){
529
/* "Use a log level over 10 to enable all debugging options."
530
* - GnuTLS manual
531
*/
263
532
gnutls_global_set_log_level(11);
264
533
gnutls_global_set_log_function(debuggnutls);
265
534
}
266
535
267
/* openpgp credentials */
268
if ((ret = gnutls_certificate_allocate_credentials (&es->cred))
269
!= GNUTLS_E_SUCCESS) {
270
fprintf (stderr, "memory error: %s\n",
271
safer_gnutls_strerror(ret));
536
/* OpenPGP credentials */
537
ret = gnutls_certificate_allocate_credentials(&mc->cred);
538
if(ret != GNUTLS_E_SUCCESS){
539
fprintf_plus(stderr, "GnuTLS memory error: %s\n",
540
safer_gnutls_strerror(ret));
541
gnutls_global_deinit();
272
542
return -1;
273
543
}
274
544
275
545
if(debug){
276
fprintf(stderr, "Attempting to use OpenPGP certificate %s"
277
" and keyfile %s as GnuTLS credentials\n", CERTFILE,
278
KEYFILE);
546
fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
547
" secret key %s as GnuTLS credentials\n",
548
pubkeyfilename,
549
seckeyfilename);
279
550
}
280
551
281
552
ret = gnutls_certificate_set_openpgp_key_file
282
(es->cred, CERTFILE, KEYFILE, GNUTLS_OPENPGP_FMT_BASE64);
283
if (ret != GNUTLS_E_SUCCESS) {
284
fprintf
285
(stderr, "Error[%d] while reading the OpenPGP key pair ('%s',"
286
" '%s')\n",
287
ret, CERTFILE, KEYFILE);
288
fprintf(stdout, "The Error is: %s\n",
289
safer_gnutls_strerror(ret));
290
return -1;
291
}
292
293
//GnuTLS server initialization
294
if ((ret = gnutls_dh_params_init (&es->dh_params))
295
!= GNUTLS_E_SUCCESS) {
296
fprintf (stderr, "Error in dh parameter initialization: %s\n",
297
safer_gnutls_strerror(ret));
298
return -1;
299
}
300
301
if ((ret = gnutls_dh_params_generate2 (es->dh_params, DH_BITS))
302
!= GNUTLS_E_SUCCESS) {
303
fprintf (stderr, "Error in prime generation: %s\n",
304
safer_gnutls_strerror(ret));
305
return -1;
306
}
307
308
gnutls_certificate_set_dh_params (es->cred, es->dh_params);
309
310
// GnuTLS session creation
311
if ((ret = gnutls_init (&es->session, GNUTLS_SERVER))
312
!= GNUTLS_E_SUCCESS){
313
fprintf(stderr, "Error in GnuTLS session initialization: %s\n",
314
safer_gnutls_strerror(ret));
315
}
316
317
if ((ret = gnutls_priority_set_direct (es->session, "NORMAL", &err))
318
!= GNUTLS_E_SUCCESS) {
319
fprintf(stderr, "Syntax error at: %s\n", err);
320
fprintf(stderr, "GnuTLS error: %s\n",
321
safer_gnutls_strerror(ret));
322
return -1;
323
}
324
325
if ((ret = gnutls_credentials_set
326
(es->session, GNUTLS_CRD_CERTIFICATE, es->cred))
327
!= GNUTLS_E_SUCCESS) {
328
fprintf(stderr, "Error setting a credentials set: %s\n",
329
safer_gnutls_strerror(ret));
553
(mc->cred, pubkeyfilename, seckeyfilename,
554
GNUTLS_OPENPGP_FMT_BASE64);
555
if(ret != GNUTLS_E_SUCCESS){
556
fprintf_plus(stderr,
557
"Error[%d] while reading the OpenPGP key pair ('%s',"
558
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
559
fprintf_plus(stderr, "The GnuTLS error is: %s\n",
560
safer_gnutls_strerror(ret));
561
goto globalfail;
562
}
563
564
/* GnuTLS server initialization */
565
ret = gnutls_dh_params_init(&mc->dh_params);
566
if(ret != GNUTLS_E_SUCCESS){
567
fprintf_plus(stderr, "Error in GnuTLS DH parameter"
568
" initialization: %s\n",
569
safer_gnutls_strerror(ret));
570
goto globalfail;
571
}
572
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
573
if(ret != GNUTLS_E_SUCCESS){
574
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
575
safer_gnutls_strerror(ret));
576
goto globalfail;
577
}
578
579
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
580
581
return 0;
582
583
globalfail:
584
585
gnutls_certificate_free_credentials(mc->cred);
586
gnutls_global_deinit();
587
gnutls_dh_params_deinit(mc->dh_params);
588
return -1;
589
}
590
591
__attribute__((nonnull, warn_unused_result))
592
static int init_gnutls_session(gnutls_session_t *session,
593
mandos_context *mc){
594
int ret;
595
/* GnuTLS session creation */
596
do {
597
ret = gnutls_init(session, GNUTLS_SERVER);
598
if(quit_now){
599
return -1;
600
}
601
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
602
if(ret != GNUTLS_E_SUCCESS){
603
fprintf_plus(stderr,
604
"Error in GnuTLS session initialization: %s\n",
605
safer_gnutls_strerror(ret));
606
}
607
608
{
609
const char *err;
610
do {
611
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
612
if(quit_now){
613
gnutls_deinit(*session);
614
return -1;
615
}
616
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
617
if(ret != GNUTLS_E_SUCCESS){
618
fprintf_plus(stderr, "Syntax error at: %s\n", err);
619
fprintf_plus(stderr, "GnuTLS error: %s\n",
620
safer_gnutls_strerror(ret));
621
gnutls_deinit(*session);
622
return -1;
623
}
624
}
625
626
do {
627
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
628
mc->cred);
629
if(quit_now){
630
gnutls_deinit(*session);
631
return -1;
632
}
633
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
634
if(ret != GNUTLS_E_SUCCESS){
635
fprintf_plus(stderr, "Error setting GnuTLS credentials: %s\n",
636
safer_gnutls_strerror(ret));
637
gnutls_deinit(*session);
330
638
return -1;
331
639
}
332
640
333
641
/* ignore client certificate if any. */
334
gnutls_certificate_server_set_request (es->session,
335
GNUTLS_CERT_IGNORE);
642
gnutls_certificate_server_set_request(*session, GNUTLS_CERT_IGNORE);
336
643
337
gnutls_dh_set_prime_bits (es->session, DH_BITS);
644
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
338
645
339
646
return 0;
340
647
}
341
648
342
void empty_log(__attribute__((unused)) AvahiLogLevel level,
343
__attribute__((unused)) const char *txt){}
344
345
int start_mandos_communication(const char *ip, uint16_t port,
346
unsigned int if_index){
347
int ret, tcp_sd;
348
struct sockaddr_in6 to;
349
encrypted_session es;
649
/* Avahi log function callback */
650
static void empty_log(__attribute__((unused)) AvahiLogLevel level,
651
__attribute__((unused)) const char *txt){}
652
653
/* Set effective uid to 0, return errno */
654
__attribute__((warn_unused_result))
655
error_t raise_privileges(void){
656
error_t old_errno = errno;
657
error_t ret_errno = 0;
658
if(seteuid(0) == -1){
659
ret_errno = errno;
660
}
661
errno = old_errno;
662
return ret_errno;
663
}
664
665
/* Set effective and real user ID to 0. Return errno. */
666
__attribute__((warn_unused_result))
667
error_t raise_privileges_permanently(void){
668
error_t old_errno = errno;
669
error_t ret_errno = raise_privileges();
670
if(ret_errno != 0){
671
errno = old_errno;
672
return ret_errno;
673
}
674
if(setuid(0) == -1){
675
ret_errno = errno;
676
}
677
errno = old_errno;
678
return ret_errno;
679
}
680
681
/* Set effective user ID to unprivileged saved user ID */
682
__attribute__((warn_unused_result))
683
error_t lower_privileges(void){
684
error_t old_errno = errno;
685
error_t ret_errno = 0;
686
if(seteuid(uid) == -1){
687
ret_errno = errno;
688
}
689
errno = old_errno;
690
return ret_errno;
691
}
692
693
/* Lower privileges permanently */
694
__attribute__((warn_unused_result))
695
error_t lower_privileges_permanently(void){
696
error_t old_errno = errno;
697
error_t ret_errno = 0;
698
if(setuid(uid) == -1){
699
ret_errno = errno;
700
}
701
errno = old_errno;
702
return ret_errno;
703
}
704
705
/* Helper function to add_local_route() and delete_local_route() */
706
__attribute__((nonnull, warn_unused_result))
707
static bool add_delete_local_route(const bool add,
708
const char *address,
709
AvahiIfIndex if_index){
710
int ret;
711
char helper[] = "mandos-client-iprouteadddel";
712
char add_arg[] = "add";
713
char delete_arg[] = "delete";
714
char debug_flag[] = "--debug";
715
char *pluginhelperdir = getenv("MANDOSPLUGINHELPERDIR");
716
if(pluginhelperdir == NULL){
717
if(debug){
718
fprintf_plus(stderr, "MANDOSPLUGINHELPERDIR environment"
719
" variable not set; cannot run helper\n");
720
}
721
return false;
722
}
723
724
char interface[IF_NAMESIZE];
725
if(if_indextoname((unsigned int)if_index, interface) == NULL){
726
perror_plus("if_indextoname");
727
return false;
728
}
729
730
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
731
if(devnull == -1){
732
perror_plus("open(\"/dev/null\", O_RDONLY)");
733
return false;
734
}
735
pid_t pid = fork();
736
if(pid == 0){
737
/* Child */
738
/* Raise privileges */
739
errno = raise_privileges_permanently();
740
if(errno != 0){
741
perror_plus("Failed to raise privileges");
742
/* _exit(EX_NOPERM); */
743
} else {
744
/* Set group */
745
errno = 0;
746
ret = setgid(0);
747
if(ret == -1){
748
perror_plus("setgid");
749
_exit(EX_NOPERM);
750
}
751
/* Reset supplementary groups */
752
errno = 0;
753
ret = setgroups(0, NULL);
754
if(ret == -1){
755
perror_plus("setgroups");
756
_exit(EX_NOPERM);
757
}
758
}
759
ret = dup2(devnull, STDIN_FILENO);
760
if(ret == -1){
761
perror_plus("dup2(devnull, STDIN_FILENO)");
762
_exit(EX_OSERR);
763
}
764
ret = (int)TEMP_FAILURE_RETRY(close(devnull));
765
if(ret == -1){
766
perror_plus("close");
767
_exit(EX_OSERR);
768
}
769
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
770
if(ret == -1){
771
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
772
_exit(EX_OSERR);
773
}
774
int helperdir_fd = (int)TEMP_FAILURE_RETRY(open(pluginhelperdir,
775
O_RDONLY
776
| O_DIRECTORY
777
| O_PATH
778
| O_CLOEXEC));
779
if(helperdir_fd == -1){
780
perror_plus("open");
781
_exit(EX_UNAVAILABLE);
782
}
783
int helper_fd = (int)TEMP_FAILURE_RETRY(openat(helperdir_fd,
784
helper, O_RDONLY));
785
if(helper_fd == -1){
786
perror_plus("openat");
787
_exit(EX_UNAVAILABLE);
788
}
789
TEMP_FAILURE_RETRY(close(helperdir_fd));
790
#ifdef __GNUC__
791
#pragma GCC diagnostic push
792
#pragma GCC diagnostic ignored "-Wcast-qual"
793
#endif
794
if(fexecve(helper_fd, (char *const [])
795
{ helper, add ? add_arg : delete_arg, (char *)address,
796
interface, debug ? debug_flag : NULL, NULL },
797
environ) == -1){
798
#ifdef __GNUC__
799
#pragma GCC diagnostic pop
800
#endif
801
perror_plus("fexecve");
802
_exit(EXIT_FAILURE);
803
}
804
}
805
if(pid == -1){
806
perror_plus("fork");
807
return false;
808
}
809
int status;
810
pid_t pret = -1;
811
errno = 0;
812
do {
813
pret = waitpid(pid, &status, 0);
814
if(pret == -1 and errno == EINTR and quit_now){
815
int errno_raising = 0;
816
if((errno = raise_privileges()) != 0){
817
errno_raising = errno;
818
perror_plus("Failed to raise privileges in order to"
819
" kill helper program");
820
}
821
if(kill(pid, SIGTERM) == -1){
822
perror_plus("kill");
823
}
824
if((errno_raising == 0) and (errno = lower_privileges()) != 0){
825
perror_plus("Failed to lower privileges after killing"
826
" helper program");
827
}
828
return false;
829
}
830
} while(pret == -1 and errno == EINTR);
831
if(pret == -1){
832
perror_plus("waitpid");
833
return false;
834
}
835
if(WIFEXITED(status)){
836
if(WEXITSTATUS(status) != 0){
837
fprintf_plus(stderr, "Error: iprouteadddel exited"
838
" with status %d\n", WEXITSTATUS(status));
839
return false;
840
}
841
return true;
842
}
843
if(WIFSIGNALED(status)){
844
fprintf_plus(stderr, "Error: iprouteadddel died by"
845
" signal %d\n", WTERMSIG(status));
846
return false;
847
}
848
fprintf_plus(stderr, "Error: iprouteadddel crashed\n");
849
return false;
850
}
851
852
__attribute__((nonnull, warn_unused_result))
853
static bool add_local_route(const char *address,
854
AvahiIfIndex if_index){
855
if(debug){
856
fprintf_plus(stderr, "Adding route to %s\n", address);
857
}
858
return add_delete_local_route(true, address, if_index);
859
}
860
861
__attribute__((nonnull, warn_unused_result))
862
static bool delete_local_route(const char *address,
863
AvahiIfIndex if_index){
864
if(debug){
865
fprintf_plus(stderr, "Removing route to %s\n", address);
866
}
867
return add_delete_local_route(false, address, if_index);
868
}
869
870
/* Called when a Mandos server is found */
871
__attribute__((nonnull, warn_unused_result))
872
static int start_mandos_communication(const char *ip, in_port_t port,
873
AvahiIfIndex if_index,
874
int af, mandos_context *mc){
875
int ret, tcp_sd = -1;
876
ssize_t sret;
877
struct sockaddr_storage to;
350
878
char *buffer = NULL;
351
char *decrypted_buffer;
879
char *decrypted_buffer = NULL;
352
880
size_t buffer_length = 0;
353
881
size_t buffer_capacity = 0;
354
ssize_t decrypted_buffer_size;
355
size_t written = 0;
356
int retval = 0;
357
char interface[IF_NAMESIZE];
358
359
if(debug){
360
fprintf(stderr, "Setting up a tcp connection to %s, port %d\n",
361
ip, port);
362
}
363
364
tcp_sd = socket(PF_INET6, SOCK_STREAM, 0);
365
if(tcp_sd < 0) {
366
perror("socket");
367
return -1;
368
}
369
370
if(if_indextoname(if_index, interface) == NULL){
371
if(debug){
372
perror("if_indextoname");
373
}
374
return -1;
375
}
376
377
if(debug){
378
fprintf(stderr, "Binding to interface %s\n", interface);
379
}
380
381
memset(&to,0,sizeof(to)); /* Spurious warning */
382
to.sin6_family = AF_INET6;
383
ret = inet_pton(AF_INET6, ip, &to.sin6_addr);
384
if (ret < 0 ){
385
perror("inet_pton");
386
return -1;
387
}
882
size_t written;
883
int retval = -1;
884
gnutls_session_t session;
885
int pf; /* Protocol family */
886
bool route_added = false;
887
888
errno = 0;
889
890
if(quit_now){
891
errno = EINTR;
892
return -1;
893
}
894
895
switch(af){
896
case AF_INET6:
897
pf = PF_INET6;
898
break;
899
case AF_INET:
900
pf = PF_INET;
901
break;
902
default:
903
fprintf_plus(stderr, "Bad address family: %d\n", af);
904
errno = EINVAL;
905
return -1;
906
}
907
908
/* If the interface is specified and we have a list of interfaces */
909
if(if_index != AVAHI_IF_UNSPEC and mc->interfaces != NULL){
910
/* Check if the interface is one of the interfaces we are using */
911
bool match = false;
912
{
913
char *interface = NULL;
914
while((interface=argz_next(mc->interfaces, mc->interfaces_size,
915
interface))){
916
if(if_nametoindex(interface) == (unsigned int)if_index){
917
match = true;
918
break;
919
}
920
}
921
}
922
if(not match){
923
/* This interface does not match any in the list, so we don't
924
connect to the server */
925
if(debug){
926
char interface[IF_NAMESIZE];
927
if(if_indextoname((unsigned int)if_index, interface) == NULL){
928
perror_plus("if_indextoname");
929
} else {
930
fprintf_plus(stderr, "Skipping server on non-used interface"
931
" \"%s\"\n",
932
if_indextoname((unsigned int)if_index,
933
interface));
934
}
935
}
936
return -1;
937
}
938
}
939
940
ret = init_gnutls_session(&session, mc);
941
if(ret != 0){
942
return -1;
943
}
944
945
if(debug){
946
fprintf_plus(stderr, "Setting up a TCP connection to %s, port %"
947
PRIuMAX "\n", ip, (uintmax_t)port);
948
}
949
950
tcp_sd = socket(pf, SOCK_STREAM | SOCK_CLOEXEC, 0);
951
if(tcp_sd < 0){
952
int e = errno;
953
perror_plus("socket");
954
errno = e;
955
goto mandos_end;
956
}
957
958
if(quit_now){
959
errno = EINTR;
960
goto mandos_end;
961
}
962
963
memset(&to, 0, sizeof(to));
964
if(af == AF_INET6){
965
((struct sockaddr_in6 *)&to)->sin6_family = (sa_family_t)af;
966
ret = inet_pton(af, ip, &((struct sockaddr_in6 *)&to)->sin6_addr);
967
} else { /* IPv4 */
968
((struct sockaddr_in *)&to)->sin_family = (sa_family_t)af;
969
ret = inet_pton(af, ip, &((struct sockaddr_in *)&to)->sin_addr);
970
}
971
if(ret < 0 ){
972
int e = errno;
973
perror_plus("inet_pton");
974
errno = e;
975
goto mandos_end;
976
}
388
977
if(ret == 0){
389
fprintf(stderr, "Bad address: %s\n", ip);
390
return -1;
391
}
392
to.sin6_port = htons(port); /* Spurious warning */
393
394
to.sin6_scope_id = (uint32_t)if_index;
395
396
if(debug){
397
fprintf(stderr, "Connection to: %s, port %d\n", ip, port);
398
/* char addrstr[INET6_ADDRSTRLEN]; */
399
/* if(inet_ntop(to.sin6_family, &(to.sin6_addr), addrstr, */
400
/* sizeof(addrstr)) == NULL){ */
401
/* perror("inet_ntop"); */
402
/* } else { */
403
/* fprintf(stderr, "Really connecting to: %s, port %d\n", */
404
/* addrstr, ntohs(to.sin6_port)); */
405
/* } */
406
}
407
408
ret = connect(tcp_sd, (struct sockaddr *) &to, sizeof(to));
409
if (ret < 0){
410
perror("connect");
411
return -1;
412
}
413
414
ret = initgnutls (&es);
415
if (ret != 0){
416
retval = -1;
417
return -1;
418
}
419
420
gnutls_transport_set_ptr (es.session,
421
(gnutls_transport_ptr_t) tcp_sd);
422
423
if(debug){
424
fprintf(stderr, "Establishing TLS session with %s\n", ip);
425
}
426
427
ret = gnutls_handshake (es.session);
428
429
if (ret != GNUTLS_E_SUCCESS){
978
int e = errno;
979
fprintf_plus(stderr, "Bad address: %s\n", ip);
980
errno = e;
981
goto mandos_end;
982
}
983
if(af == AF_INET6){
984
((struct sockaddr_in6 *)&to)->sin6_port = htons(port);
985
if(IN6_IS_ADDR_LINKLOCAL
986
(&((struct sockaddr_in6 *)&to)->sin6_addr)){
987
if(if_index == AVAHI_IF_UNSPEC){
988
fprintf_plus(stderr, "An IPv6 link-local address is"
989
" incomplete without a network interface\n");
990
errno = EINVAL;
991
goto mandos_end;
992
}
993
/* Set the network interface number as scope */
994
((struct sockaddr_in6 *)&to)->sin6_scope_id = (uint32_t)if_index;
995
}
996
} else {
997
((struct sockaddr_in *)&to)->sin_port = htons(port);
998
}
999
1000
if(quit_now){
1001
errno = EINTR;
1002
goto mandos_end;
1003
}
1004
1005
if(debug){
1006
if(af == AF_INET6 and if_index != AVAHI_IF_UNSPEC){
1007
char interface[IF_NAMESIZE];
1008
if(if_indextoname((unsigned int)if_index, interface) == NULL){
1009
perror_plus("if_indextoname");
1010
} else {
1011
fprintf_plus(stderr, "Connection to: %s%%%s, port %" PRIuMAX
1012
"\n", ip, interface, (uintmax_t)port);
1013
}
1014
} else {
1015
fprintf_plus(stderr, "Connection to: %s, port %" PRIuMAX "\n",
1016
ip, (uintmax_t)port);
1017
}
1018
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
1019
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
1020
if(af == AF_INET6){
1021
ret = getnameinfo((struct sockaddr *)&to,
1022
sizeof(struct sockaddr_in6),
1023
addrstr, sizeof(addrstr), NULL, 0,
1024
NI_NUMERICHOST);
1025
} else {
1026
ret = getnameinfo((struct sockaddr *)&to,
1027
sizeof(struct sockaddr_in),
1028
addrstr, sizeof(addrstr), NULL, 0,
1029
NI_NUMERICHOST);
1030
}
1031
if(ret == EAI_SYSTEM){
1032
perror_plus("getnameinfo");
1033
} else if(ret != 0) {
1034
fprintf_plus(stderr, "getnameinfo: %s", gai_strerror(ret));
1035
} else if(strcmp(addrstr, ip) != 0){
1036
fprintf_plus(stderr, "Canonical address form: %s\n", addrstr);
1037
}
1038
}
1039
1040
if(quit_now){
1041
errno = EINTR;
1042
goto mandos_end;
1043
}
1044
1045
while(true){
1046
if(af == AF_INET6){
1047
ret = connect(tcp_sd, (struct sockaddr *)&to,
1048
sizeof(struct sockaddr_in6));
1049
} else {
1050
ret = connect(tcp_sd, (struct sockaddr *)&to, /* IPv4 */
1051
sizeof(struct sockaddr_in));
1052
}
1053
if(ret < 0){
1054
if(errno == ENETUNREACH
1055
and if_index != AVAHI_IF_UNSPEC
1056
and connect_to == NULL
1057
and not route_added and
1058
((af == AF_INET6 and not
1059
IN6_IS_ADDR_LINKLOCAL(&(((struct sockaddr_in6 *)
1060
&to)->sin6_addr)))
1061
or (af == AF_INET and
1062
/* Not a a IPv4LL address */
1063
(ntohl(((struct sockaddr_in *)&to)->sin_addr.s_addr)
1064
& 0xFFFF0000L) != 0xA9FE0000L))){
1065
/* Work around Avahi bug - Avahi does not announce link-local
1066
addresses if it has a global address, so local hosts with
1067
*only* a link-local address (e.g. Mandos clients) cannot
1068
connect to a Mandos server announced by Avahi on a server
1069
host with a global address. Work around this by retrying
1070
with an explicit route added with the server's address.
1071
1072
Avahi bug reference:
1073
http://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1074
https://bugs.debian.org/587961
1075
*/
1076
if(debug){
1077
fprintf_plus(stderr, "Mandos server unreachable, trying"
1078
" direct route\n");
1079
}
1080
int e = errno;
1081
route_added = add_local_route(ip, if_index);
1082
if(route_added){
1083
continue;
1084
}
1085
errno = e;
1086
}
1087
if(errno != ECONNREFUSED or debug){
1088
int e = errno;
1089
perror_plus("connect");
1090
errno = e;
1091
}
1092
goto mandos_end;
1093
}
1094
1095
if(quit_now){
1096
errno = EINTR;
1097
goto mandos_end;
1098
}
1099
break;
1100
}
1101
1102
const char *out = mandos_protocol_version;
1103
written = 0;
1104
while(true){
1105
size_t out_size = strlen(out);
1106
ret = (int)TEMP_FAILURE_RETRY(write(tcp_sd, out + written,
1107
out_size - written));
1108
if(ret == -1){
1109
int e = errno;
1110
perror_plus("write");
1111
errno = e;
1112
goto mandos_end;
1113
}
1114
written += (size_t)ret;
1115
if(written < out_size){
1116
continue;
1117
} else {
1118
if(out == mandos_protocol_version){
1119
written = 0;
1120
out = "\r\n";
1121
} else {
1122
break;
1123
}
1124
}
1125
1126
if(quit_now){
1127
errno = EINTR;
1128
goto mandos_end;
1129
}
1130
}
1131
1132
if(debug){
1133
fprintf_plus(stderr, "Establishing TLS session with %s\n", ip);
1134
}
1135
1136
if(quit_now){
1137
errno = EINTR;
1138
goto mandos_end;
1139
}
1140
1141
/* This casting via intptr_t is to eliminate warning about casting
1142
an int to a pointer type. This is exactly how the GnuTLS Guile
1143
function "set-session-transport-fd!" does it. */
1144
gnutls_transport_set_ptr(session,
1145
(gnutls_transport_ptr_t)(intptr_t)tcp_sd);
1146
1147
if(quit_now){
1148
errno = EINTR;
1149
goto mandos_end;
1150
}
1151
1152
do {
1153
ret = gnutls_handshake(session);
1154
if(quit_now){
1155
errno = EINTR;
1156
goto mandos_end;
1157
}
1158
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
1159
1160
if(ret != GNUTLS_E_SUCCESS){
430
1161
if(debug){
431
fprintf(stderr, "\n*** Handshake failed ***\n");
432
gnutls_perror (ret);
1162
fprintf_plus(stderr, "*** GnuTLS Handshake failed ***\n");
1163
gnutls_perror(ret);
433
1164
}
434
retval = -1;
435
goto exit;
1165
errno = EPROTO;
1166
goto mandos_end;
436
1167
}
437
1168
438
//Retrieve OpenPGP packet that contains the wanted password
1169
/* Read OpenPGP packet that contains the wanted password */
439
1170
440
1171
if(debug){
441
fprintf(stderr, "Retrieving pgp encrypted password from %s\n",
442
ip);
1172
fprintf_plus(stderr, "Retrieving OpenPGP encrypted password from"
1173
" %s\n", ip);
443
1174
}
444
1175
445
1176
while(true){
446
if (buffer_length + BUFFER_SIZE > buffer_capacity){
447
buffer = realloc(buffer, buffer_capacity + BUFFER_SIZE);
448
if (buffer == NULL){
449
perror("realloc");
450
goto exit;
451
}
452
buffer_capacity += BUFFER_SIZE;
453
}
454
455
ret = gnutls_record_recv
456
(es.session, buffer+buffer_length, BUFFER_SIZE);
457
if (ret == 0){
1177
1178
if(quit_now){
1179
errno = EINTR;
1180
goto mandos_end;
1181
}
1182
1183
buffer_capacity = incbuffer(&buffer, buffer_length,
1184
buffer_capacity);
1185
if(buffer_capacity == 0){
1186
int e = errno;
1187
perror_plus("incbuffer");
1188
errno = e;
1189
goto mandos_end;
1190
}
1191
1192
if(quit_now){
1193
errno = EINTR;
1194
goto mandos_end;
1195
}
1196
1197
sret = gnutls_record_recv(session, buffer+buffer_length,
1198
BUFFER_SIZE);
1199
if(sret == 0){
458
1200
break;
459
1201
}
460
if (ret < 0){
461
switch(ret){
1202
if(sret < 0){
1203
switch(sret){
462
1204
case GNUTLS_E_INTERRUPTED:
463
1205
case GNUTLS_E_AGAIN:
464
1206
break;
465
1207
case GNUTLS_E_REHANDSHAKE:
466
ret = gnutls_handshake (es.session);
467
if (ret < 0){
468
fprintf(stderr, "\n*** Handshake failed ***\n");
469
gnutls_perror (ret);
470
retval = -1;
471
goto exit;
1208
do {
1209
ret = gnutls_handshake(session);
1210
1211
if(quit_now){
1212
errno = EINTR;
1213
goto mandos_end;
1214
}
1215
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
1216
if(ret < 0){
1217
fprintf_plus(stderr, "*** GnuTLS Re-handshake failed "
1218
"***\n");
1219
gnutls_perror(ret);
1220
errno = EPROTO;
1221
goto mandos_end;
472
1222
}
473
1223
break;
474
1224
default:
475
fprintf(stderr, "Unknown error while reading data from"
476
" encrypted session with mandos server\n");
477
retval = -1;
478
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
479
goto exit;
1225
fprintf_plus(stderr, "Unknown error while reading data from"
1226
" encrypted session with Mandos server\n");
1227
gnutls_bye(session, GNUTLS_SHUT_RDWR);
1228
errno = EIO;
1229
goto mandos_end;
480
1230
}
481
1231
} else {
482
buffer_length += (size_t) ret;
483
}
484
}
485
486
if (buffer_length > 0){
487
decrypted_buffer_size = pgp_packet_decrypt(buffer,
488
buffer_length,
489
&decrypted_buffer,
490
CERT_ROOT);
491
if (decrypted_buffer_size >= 0){
1232
buffer_length += (size_t) sret;
1233
}
1234
}
1235
1236
if(debug){
1237
fprintf_plus(stderr, "Closing TLS session\n");
1238
}
1239
1240
if(quit_now){
1241
errno = EINTR;
1242
goto mandos_end;
1243
}
1244
1245
do {
1246
ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);
1247
if(quit_now){
1248
errno = EINTR;
1249
goto mandos_end;
1250
}
1251
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
1252
1253
if(buffer_length > 0){
1254
ssize_t decrypted_buffer_size;
1255
decrypted_buffer_size = pgp_packet_decrypt(buffer, buffer_length,
1256
&decrypted_buffer, mc);
1257
if(decrypted_buffer_size >= 0){
1258
1259
written = 0;
492
1260
while(written < (size_t) decrypted_buffer_size){
493
ret = (int)fwrite (decrypted_buffer + written, 1,
494
(size_t)decrypted_buffer_size - written,
495
stdout);
1261
if(quit_now){
1262
errno = EINTR;
1263
goto mandos_end;
1264
}
1265
1266
ret = (int)fwrite(decrypted_buffer + written, 1,
1267
(size_t)decrypted_buffer_size - written,
1268
stdout);
496
1269
if(ret == 0 and ferror(stdout)){
1270
int e = errno;
497
1271
if(debug){
498
fprintf(stderr, "Error writing encrypted data: %s\n",
499
strerror(errno));
1272
fprintf_plus(stderr, "Error writing encrypted data: %s\n",
1273
strerror(errno));
500
1274
}
501
retval = -1;
502
break;
1275
errno = e;
1276
goto mandos_end;
503
1277
}
504
1278
written += (size_t)ret;
505
1279
}
506
free(decrypted_buffer);
507
} else {
1280
retval = 0;
1281
}
1282
}
1283
1284
/* Shutdown procedure */
1285
1286
mandos_end:
1287
{
1288
if(route_added){
1289
if(not delete_local_route(ip, if_index)){
1290
fprintf_plus(stderr, "Failed to delete local route to %s on"
1291
" interface %d", ip, if_index);
1292
}
1293
}
1294
int e = errno;
1295
free(decrypted_buffer);
1296
free(buffer);
1297
if(tcp_sd >= 0){
1298
ret = (int)TEMP_FAILURE_RETRY(close(tcp_sd));
1299
}
1300
if(ret == -1){
1301
if(e == 0){
1302
e = errno;
1303
}
1304
perror_plus("close");
1305
}
1306
gnutls_deinit(session);
1307
errno = e;
1308
if(quit_now){
1309
errno = EINTR;
508
1310
retval = -1;
509
1311
}
510
1312
}
511
512
//shutdown procedure
513
514
if(debug){
515
fprintf(stderr, "Closing TLS session\n");
516
}
517
518
free(buffer);
519
gnutls_bye (es.session, GNUTLS_SHUT_RDWR);
520
exit:
521
close(tcp_sd);
522
gnutls_deinit (es.session);
523
gnutls_certificate_free_credentials (es.cred);
524
gnutls_global_deinit ();
525
1313
return retval;
526
1314
}
527
1315
528
static AvahiSimplePoll *simple_poll = NULL;
529
static AvahiServer *server = NULL;
530
531
static void resolve_callback(
532
AvahiSServiceResolver *r,
533
AvahiIfIndex interface,
534
AVAHI_GCC_UNUSED AvahiProtocol protocol,
535
AvahiResolverEvent event,
536
const char *name,
537
const char *type,
538
const char *domain,
539
const char *host_name,
540
const AvahiAddress *address,
541
uint16_t port,
542
AVAHI_GCC_UNUSED AvahiStringList *txt,
543
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
544
AVAHI_GCC_UNUSED void* userdata) {
545
546
assert(r); /* Spurious warning */
1316
__attribute__((nonnull))
1317
static void resolve_callback(AvahiSServiceResolver *r,
1318
AvahiIfIndex interface,
1319
AvahiProtocol proto,
1320
AvahiResolverEvent event,
1321
const char *name,
1322
const char *type,
1323
const char *domain,
1324
const char *host_name,
1325
const AvahiAddress *address,
1326
uint16_t port,
1327
AVAHI_GCC_UNUSED AvahiStringList *txt,
1328
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1329
flags,
1330
void *mc){
1331
if(r == NULL){
1332
return;
1333
}
547
1334
548
1335
/* Called whenever a service has been resolved successfully or
549
1336
timed out */
550
1337
551
switch (event) {
1338
if(quit_now){
1339
avahi_s_service_resolver_free(r);
1340
return;
1341
}
1342
1343
switch(event){
552
1344
default:
553
1345
case AVAHI_RESOLVER_FAILURE:
554
fprintf(stderr, "(Resolver) Failed to resolve service '%s' of"
555
" type '%s' in domain '%s': %s\n", name, type, domain,
556
avahi_strerror(avahi_server_errno(server)));
1346
fprintf_plus(stderr, "(Avahi Resolver) Failed to resolve service "
1347
"'%s' of type '%s' in domain '%s': %s\n", name, type,
1348
domain,
1349
avahi_strerror(avahi_server_errno
1350
(((mandos_context*)mc)->server)));
557
1351
break;
558
1352
559
1353
case AVAHI_RESOLVER_FOUND:
561
1355
char ip[AVAHI_ADDRESS_STR_MAX];
562
1356
avahi_address_snprint(ip, sizeof(ip), address);
563
1357
if(debug){
564
fprintf(stderr, "Mandos server \"%s\" found on %s (%s) on"
565
" port %d\n", name, host_name, ip, port);
1358
fprintf_plus(stderr, "Mandos server \"%s\" found on %s (%s, %"
1359
PRIdMAX ") on port %" PRIu16 "\n", name,
1360
host_name, ip, (intmax_t)interface, port);
566
1361
}
567
int ret = start_mandos_communication(ip, port,
568
(unsigned int) interface);
569
if (ret == 0){
570
exit(EXIT_SUCCESS);
1362
int ret = start_mandos_communication(ip, (in_port_t)port,
1363
interface,
1364
avahi_proto_to_af(proto),
1365
mc);
1366
if(ret == 0){
1367
avahi_simple_poll_quit(simple_poll);
1368
} else {
1369
if(not add_server(ip, (in_port_t)port, interface,
1370
avahi_proto_to_af(proto),
1371
&((mandos_context*)mc)->current_server)){
1372
fprintf_plus(stderr, "Failed to add server \"%s\" to server"
1373
" list\n", name);
1374
}
571
1375
}
572
1376
}
573
1377
}
574
1378
avahi_s_service_resolver_free(r);
575
1379
}
576
1380
577
static void browse_callback(
578
AvahiSServiceBrowser *b,
579
AvahiIfIndex interface,
580
AvahiProtocol protocol,
581
AvahiBrowserEvent event,
582
const char *name,
583
const char *type,
584
const char *domain,
585
AVAHI_GCC_UNUSED AvahiLookupResultFlags flags,
586
void* userdata) {
587
588
AvahiServer *s = userdata;
589
assert(b); /* Spurious warning */
590
591
/* Called whenever a new services becomes available on the LAN or
592
is removed from the LAN */
593
594
switch (event) {
1381
static void browse_callback(AvahiSServiceBrowser *b,
1382
AvahiIfIndex interface,
1383
AvahiProtocol protocol,
1384
AvahiBrowserEvent event,
1385
const char *name,
1386
const char *type,
1387
const char *domain,
1388
AVAHI_GCC_UNUSED AvahiLookupResultFlags
1389
flags,
1390
void *mc){
1391
if(b == NULL){
1392
return;
1393
}
1394
1395
/* Called whenever a new services becomes available on the LAN or
1396
is removed from the LAN */
1397
1398
if(quit_now){
1399
return;
1400
}
1401
1402
switch(event){
1403
default:
1404
case AVAHI_BROWSER_FAILURE:
1405
1406
fprintf_plus(stderr, "(Avahi browser) %s\n",
1407
avahi_strerror(avahi_server_errno
1408
(((mandos_context*)mc)->server)));
1409
avahi_simple_poll_quit(simple_poll);
1410
return;
1411
1412
case AVAHI_BROWSER_NEW:
1413
/* We ignore the returned Avahi resolver object. In the callback
1414
function we free it. If the Avahi server is terminated before
1415
the callback function is called the Avahi server will free the
1416
resolver for us. */
1417
1418
if(avahi_s_service_resolver_new(((mandos_context*)mc)->server,
1419
interface, protocol, name, type,
1420
domain, protocol, 0,
1421
resolve_callback, mc) == NULL)
1422
fprintf_plus(stderr, "Avahi: Failed to resolve service '%s':"
1423
" %s\n", name,
1424
avahi_strerror(avahi_server_errno
1425
(((mandos_context*)mc)->server)));
1426
break;
1427
1428
case AVAHI_BROWSER_REMOVE:
1429
break;
1430
1431
case AVAHI_BROWSER_ALL_FOR_NOW:
1432
case AVAHI_BROWSER_CACHE_EXHAUSTED:
1433
if(debug){
1434
fprintf_plus(stderr, "No Mandos server found, still"
1435
" searching...\n");
1436
}
1437
break;
1438
}
1439
}
1440
1441
/* Signal handler that stops main loop after SIGTERM */
1442
static void handle_sigterm(int sig){
1443
if(quit_now){
1444
return;
1445
}
1446
quit_now = 1;
1447
signal_received = sig;
1448
int old_errno = errno;
1449
/* set main loop to exit */
1450
if(simple_poll != NULL){
1451
avahi_simple_poll_quit(simple_poll);
1452
}
1453
errno = old_errno;
1454
}
1455
1456
__attribute__((nonnull, warn_unused_result))
1457
bool get_flags(const char *ifname, struct ifreq *ifr){
1458
int ret;
1459
error_t ret_errno;
1460
1461
int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1462
if(s < 0){
1463
ret_errno = errno;
1464
perror_plus("socket");
1465
errno = ret_errno;
1466
return false;
1467
}
1468
strcpy(ifr->ifr_name, ifname);
1469
ret = ioctl(s, SIOCGIFFLAGS, ifr);
1470
if(ret == -1){
1471
if(debug){
1472
ret_errno = errno;
1473
perror_plus("ioctl SIOCGIFFLAGS");
1474
errno = ret_errno;
1475
}
1476
return false;
1477
}
1478
return true;
1479
}
1480
1481
__attribute__((nonnull, warn_unused_result))
1482
bool good_flags(const char *ifname, const struct ifreq *ifr){
1483
1484
/* Reject the loopback device */
1485
if(ifr->ifr_flags & IFF_LOOPBACK){
1486
if(debug){
1487
fprintf_plus(stderr, "Rejecting loopback interface \"%s\"\n",
1488
ifname);
1489
}
1490
return false;
1491
}
1492
/* Accept point-to-point devices only if connect_to is specified */
1493
if(connect_to != NULL and (ifr->ifr_flags & IFF_POINTOPOINT)){
1494
if(debug){
1495
fprintf_plus(stderr, "Accepting point-to-point interface"
1496
" \"%s\"\n", ifname);
1497
}
1498
return true;
1499
}
1500
/* Otherwise, reject non-broadcast-capable devices */
1501
if(not (ifr->ifr_flags & IFF_BROADCAST)){
1502
if(debug){
1503
fprintf_plus(stderr, "Rejecting non-broadcast interface"
1504
" \"%s\"\n", ifname);
1505
}
1506
return false;
1507
}
1508
/* Reject non-ARP interfaces (including dummy interfaces) */
1509
if(ifr->ifr_flags & IFF_NOARP){
1510
if(debug){
1511
fprintf_plus(stderr, "Rejecting non-ARP interface \"%s\"\n",
1512
ifname);
1513
}
1514
return false;
1515
}
1516
1517
/* Accept this device */
1518
if(debug){
1519
fprintf_plus(stderr, "Interface \"%s\" is good\n", ifname);
1520
}
1521
return true;
1522
}
1523
1524
/*
1525
* This function determines if a directory entry in /sys/class/net
1526
* corresponds to an acceptable network device.
1527
* (This function is passed to scandir(3) as a filter function.)
1528
*/
1529
__attribute__((nonnull, warn_unused_result))
1530
int good_interface(const struct dirent *if_entry){
1531
if(if_entry->d_name[0] == '.'){
1532
return 0;
1533
}
1534
1535
struct ifreq ifr;
1536
if(not get_flags(if_entry->d_name, &ifr)){
1537
if(debug){
1538
fprintf_plus(stderr, "Failed to get flags for interface "
1539
"\"%s\"\n", if_entry->d_name);
1540
}
1541
return 0;
1542
}
1543
1544
if(not good_flags(if_entry->d_name, &ifr)){
1545
return 0;
1546
}
1547
return 1;
1548
}
1549
1550
/*
1551
* This function determines if a network interface is up.
1552
*/
1553
__attribute__((nonnull, warn_unused_result))
1554
bool interface_is_up(const char *interface){
1555
struct ifreq ifr;
1556
if(not get_flags(interface, &ifr)){
1557
if(debug){
1558
fprintf_plus(stderr, "Failed to get flags for interface "
1559
"\"%s\"\n", interface);
1560
}
1561
return false;
1562
}
1563
1564
return (bool)(ifr.ifr_flags & IFF_UP);
1565
}
1566
1567
/*
1568
* This function determines if a network interface is running
1569
*/
1570
__attribute__((nonnull, warn_unused_result))
1571
bool interface_is_running(const char *interface){
1572
struct ifreq ifr;
1573
if(not get_flags(interface, &ifr)){
1574
if(debug){
1575
fprintf_plus(stderr, "Failed to get flags for interface "
1576
"\"%s\"\n", interface);
1577
}
1578
return false;
1579
}
1580
1581
return (bool)(ifr.ifr_flags & IFF_RUNNING);
1582
}
1583
1584
__attribute__((nonnull, pure, warn_unused_result))
1585
int notdotentries(const struct dirent *direntry){
1586
/* Skip "." and ".." */
1587
if(direntry->d_name[0] == '.'
1588
and (direntry->d_name[1] == '\0'
1589
or (direntry->d_name[1] == '.'
1590
and direntry->d_name[2] == '\0'))){
1591
return 0;
1592
}
1593
return 1;
1594
}
1595
1596
/* Is this directory entry a runnable program? */
1597
__attribute__((nonnull, warn_unused_result))
1598
int runnable_hook(const struct dirent *direntry){
1599
int ret;
1600
size_t sret;
1601
struct stat st;
1602
1603
if((direntry->d_name)[0] == '\0'){
1604
/* Empty name? */
1605
return 0;
1606
}
1607
1608
sret = strspn(direntry->d_name, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1609
"abcdefghijklmnopqrstuvwxyz"
1610
"0123456789"
1611
"_.-");
1612
if((direntry->d_name)[sret] != '\0'){
1613
/* Contains non-allowed characters */
1614
if(debug){
1615
fprintf_plus(stderr, "Ignoring hook \"%s\" with bad name\n",
1616
direntry->d_name);
1617
}
1618
return 0;
1619
}
1620
1621
ret = fstatat(hookdir_fd, direntry->d_name, &st, 0);
1622
if(ret == -1){
1623
if(debug){
1624
perror_plus("Could not stat hook");
1625
}
1626
return 0;
1627
}
1628
if(not (S_ISREG(st.st_mode))){
1629
/* Not a regular file */
1630
if(debug){
1631
fprintf_plus(stderr, "Ignoring hook \"%s\" - not a file\n",
1632
direntry->d_name);
1633
}
1634
return 0;
1635
}
1636
if(not (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))){
1637
/* Not executable */
1638
if(debug){
1639
fprintf_plus(stderr, "Ignoring hook \"%s\" - not executable\n",
1640
direntry->d_name);
1641
}
1642
return 0;
1643
}
1644
if(debug){
1645
fprintf_plus(stderr, "Hook \"%s\" is acceptable\n",
1646
direntry->d_name);
1647
}
1648
return 1;
1649
}
1650
1651
__attribute__((nonnull, warn_unused_result))
1652
int avahi_loop_with_timeout(AvahiSimplePoll *s, int retry_interval,
1653
mandos_context *mc){
1654
int ret;
1655
struct timespec now;
1656
struct timespec waited_time;
1657
intmax_t block_time;
1658
1659
while(true){
1660
if(mc->current_server == NULL){
1661
if(debug){
1662
fprintf_plus(stderr, "Wait until first server is found."
1663
" No timeout!\n");
1664
}
1665
ret = avahi_simple_poll_iterate(s, -1);
1666
} else {
1667
if(debug){
1668
fprintf_plus(stderr, "Check current_server if we should run"
1669
" it, or wait\n");
1670
}
1671
/* the current time */
1672
ret = clock_gettime(CLOCK_MONOTONIC, &now);
1673
if(ret == -1){
1674
perror_plus("clock_gettime");
1675
return -1;
1676
}
1677
/* Calculating in ms how long time between now and server
1678
who we visted longest time ago. Now - last seen. */
1679
waited_time.tv_sec = (now.tv_sec
1680
- mc->current_server->last_seen.tv_sec);
1681
waited_time.tv_nsec = (now.tv_nsec
1682
- mc->current_server->last_seen.tv_nsec);
1683
/* total time is 10s/10,000ms.
1684
Converting to s from ms by dividing by 1,000,
1685
and ns to ms by dividing by 1,000,000. */
1686
block_time = ((retry_interval
1687
- ((intmax_t)waited_time.tv_sec * 1000))
1688
- ((intmax_t)waited_time.tv_nsec / 1000000));
1689
1690
if(debug){
1691
fprintf_plus(stderr, "Blocking for %" PRIdMAX " ms\n",
1692
block_time);
1693
}
1694
1695
if(block_time <= 0){
1696
ret = start_mandos_communication(mc->current_server->ip,
1697
mc->current_server->port,
1698
mc->current_server->if_index,
1699
mc->current_server->af, mc);
1700
if(ret == 0){
1701
avahi_simple_poll_quit(s);
1702
return 0;
1703
}
1704
ret = clock_gettime(CLOCK_MONOTONIC,
1705
&mc->current_server->last_seen);
1706
if(ret == -1){
1707
perror_plus("clock_gettime");
1708
return -1;
1709
}
1710
mc->current_server = mc->current_server->next;
1711
block_time = 0; /* Call avahi to find new Mandos
1712
servers, but don't block */
1713
}
1714
1715
ret = avahi_simple_poll_iterate(s, (int)block_time);
1716
}
1717
if(ret != 0){
1718
if(ret > 0 or errno != EINTR){
1719
return (ret != 1) ? ret : 0;
1720
}
1721
}
1722
}
1723
}
1724
1725
__attribute__((nonnull))
1726
void run_network_hooks(const char *mode, const char *interface,
1727
const float delay){
1728
struct dirent **direntries = NULL;
1729
if(hookdir_fd == -1){
1730
hookdir_fd = open(hookdir, O_RDONLY | O_DIRECTORY | O_PATH
1731
| O_CLOEXEC);
1732
if(hookdir_fd == -1){
1733
if(errno == ENOENT){
1734
if(debug){
1735
fprintf_plus(stderr, "Network hook directory \"%s\" not"
1736
" found\n", hookdir);
1737
}
1738
} else {
1739
perror_plus("open");
1740
}
1741
return;
1742
}
1743
}
1744
#ifdef __GLIBC__
1745
#if __GLIBC_PREREQ(2, 15)
1746
int numhooks = scandirat(hookdir_fd, ".", &direntries,
1747
runnable_hook, alphasort);
1748
#else /* not __GLIBC_PREREQ(2, 15) */
1749
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1750
alphasort);
1751
#endif /* not __GLIBC_PREREQ(2, 15) */
1752
#else /* not __GLIBC__ */
1753
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1754
alphasort);
1755
#endif /* not __GLIBC__ */
1756
if(numhooks == -1){
1757
perror_plus("scandir");
1758
return;
1759
}
1760
struct dirent *direntry;
1761
int ret;
1762
int devnull = (int)TEMP_FAILURE_RETRY(open("/dev/null", O_RDONLY));
1763
if(devnull == -1){
1764
perror_plus("open(\"/dev/null\", O_RDONLY)");
1765
return;
1766
}
1767
for(int i = 0; i < numhooks; i++){
1768
direntry = direntries[i];
1769
if(debug){
1770
fprintf_plus(stderr, "Running network hook \"%s\"\n",
1771
direntry->d_name);
1772
}
1773
pid_t hook_pid = fork();
1774
if(hook_pid == 0){
1775
/* Child */
1776
/* Raise privileges */
1777
errno = raise_privileges_permanently();
1778
if(errno != 0){
1779
perror_plus("Failed to raise privileges");
1780
_exit(EX_NOPERM);
1781
}
1782
/* Set group */
1783
errno = 0;
1784
ret = setgid(0);
1785
if(ret == -1){
1786
perror_plus("setgid");
1787
_exit(EX_NOPERM);
1788
}
1789
/* Reset supplementary groups */
1790
errno = 0;
1791
ret = setgroups(0, NULL);
1792
if(ret == -1){
1793
perror_plus("setgroups");
1794
_exit(EX_NOPERM);
1795
}
1796
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1797
if(ret == -1){
1798
perror_plus("setenv");
1799
_exit(EX_OSERR);
1800
}
1801
ret = setenv("DEVICE", interface, 1);
1802
if(ret == -1){
1803
perror_plus("setenv");
1804
_exit(EX_OSERR);
1805
}
1806
ret = setenv("VERBOSITY", debug ? "1" : "0", 1);
1807
if(ret == -1){
1808
perror_plus("setenv");
1809
_exit(EX_OSERR);
1810
}
1811
ret = setenv("MODE", mode, 1);
1812
if(ret == -1){
1813
perror_plus("setenv");
1814
_exit(EX_OSERR);
1815
}
1816
char *delaystring;
1817
ret = asprintf(&delaystring, "%f", (double)delay);
1818
if(ret == -1){
1819
perror_plus("asprintf");
1820
_exit(EX_OSERR);
1821
}
1822
ret = setenv("DELAY", delaystring, 1);
1823
if(ret == -1){
1824
free(delaystring);
1825
perror_plus("setenv");
1826
_exit(EX_OSERR);
1827
}
1828
free(delaystring);
1829
if(connect_to != NULL){
1830
ret = setenv("CONNECT", connect_to, 1);
1831
if(ret == -1){
1832
perror_plus("setenv");
1833
_exit(EX_OSERR);
1834
}
1835
}
1836
int hook_fd = (int)TEMP_FAILURE_RETRY(openat(hookdir_fd,
1837
direntry->d_name,
1838
O_RDONLY));
1839
if(hook_fd == -1){
1840
perror_plus("openat");
1841
_exit(EXIT_FAILURE);
1842
}
1843
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
1844
perror_plus("close");
1845
_exit(EXIT_FAILURE);
1846
}
1847
ret = dup2(devnull, STDIN_FILENO);
1848
if(ret == -1){
1849
perror_plus("dup2(devnull, STDIN_FILENO)");
1850
_exit(EX_OSERR);
1851
}
1852
ret = (int)TEMP_FAILURE_RETRY(close(devnull));
1853
if(ret == -1){
1854
perror_plus("close");
1855
_exit(EX_OSERR);
1856
}
1857
ret = dup2(STDERR_FILENO, STDOUT_FILENO);
1858
if(ret == -1){
1859
perror_plus("dup2(STDERR_FILENO, STDOUT_FILENO)");
1860
_exit(EX_OSERR);
1861
}
1862
if(fexecve(hook_fd, (char *const []){ direntry->d_name, NULL },
1863
environ) == -1){
1864
perror_plus("fexecve");
1865
_exit(EXIT_FAILURE);
1866
}
1867
} else {
1868
if(hook_pid == -1){
1869
perror_plus("fork");
1870
free(direntry);
1871
continue;
1872
}
1873
int status;
1874
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1875
perror_plus("waitpid");
1876
free(direntry);
1877
continue;
1878
}
1879
if(WIFEXITED(status)){
1880
if(WEXITSTATUS(status) != 0){
1881
fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1882
" with status %d\n", direntry->d_name,
1883
WEXITSTATUS(status));
1884
free(direntry);
1885
continue;
1886
}
1887
} else if(WIFSIGNALED(status)){
1888
fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1889
" signal %d\n", direntry->d_name,
1890
WTERMSIG(status));
1891
free(direntry);
1892
continue;
1893
} else {
1894
fprintf_plus(stderr, "Warning: network hook \"%s\""
1895
" crashed\n", direntry->d_name);
1896
free(direntry);
1897
continue;
1898
}
1899
}
1900
if(debug){
1901
fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1902
direntry->d_name);
1903
}
1904
free(direntry);
1905
}
1906
free(direntries);
1907
if((int)TEMP_FAILURE_RETRY(close(hookdir_fd)) == -1){
1908
perror_plus("close");
1909
} else {
1910
hookdir_fd = -1;
1911
}
1912
close(devnull);
1913
}
1914
1915
__attribute__((nonnull, warn_unused_result))
1916
error_t bring_up_interface(const char *const interface,
1917
const float delay){
1918
error_t old_errno = errno;
1919
int ret;
1920
struct ifreq network;
1921
unsigned int if_index = if_nametoindex(interface);
1922
if(if_index == 0){
1923
fprintf_plus(stderr, "No such interface: \"%s\"\n", interface);
1924
errno = old_errno;
1925
return ENXIO;
1926
}
1927
1928
if(quit_now){
1929
errno = old_errno;
1930
return EINTR;
1931
}
1932
1933
if(not interface_is_up(interface)){
1934
error_t ret_errno = 0, ioctl_errno = 0;
1935
if(not get_flags(interface, &network)){
1936
ret_errno = errno;
1937
fprintf_plus(stderr, "Failed to get flags for interface "
1938
"\"%s\"\n", interface);
1939
errno = old_errno;
1940
return ret_errno;
1941
}
1942
network.ifr_flags |= IFF_UP; /* set flag */
1943
1944
int sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
1945
if(sd == -1){
1946
ret_errno = errno;
1947
perror_plus("socket");
1948
errno = old_errno;
1949
return ret_errno;
1950
}
1951
1952
if(quit_now){
1953
ret = (int)TEMP_FAILURE_RETRY(close(sd));
1954
if(ret == -1){
1955
perror_plus("close");
1956
}
1957
errno = old_errno;
1958
return EINTR;
1959
}
1960
1961
if(debug){
1962
fprintf_plus(stderr, "Bringing up interface \"%s\"\n",
1963
interface);
1964
}
1965
1966
/* Raise privileges */
1967
ret_errno = raise_privileges();
1968
if(ret_errno != 0){
1969
errno = ret_errno;
1970
perror_plus("Failed to raise privileges");
1971
}
1972
1973
#ifdef __linux__
1974
int ret_linux;
1975
bool restore_loglevel = false;
1976
if(ret_errno == 0){
1977
/* Lower kernel loglevel to KERN_NOTICE to avoid KERN_INFO
1978
messages about the network interface to mess up the prompt */
1979
ret_linux = klogctl(8, NULL, 5);
1980
if(ret_linux == -1){
1981
perror_plus("klogctl");
1982
} else {
1983
restore_loglevel = true;
1984
}
1985
}
1986
#endif /* __linux__ */
1987
int ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
1988
ioctl_errno = errno;
1989
#ifdef __linux__
1990
if(restore_loglevel){
1991
ret_linux = klogctl(7, NULL, 0);
1992
if(ret_linux == -1){
1993
perror_plus("klogctl");
1994
}
1995
}
1996
#endif /* __linux__ */
1997
1998
/* If raise_privileges() succeeded above */
1999
if(ret_errno == 0){
2000
/* Lower privileges */
2001
ret_errno = lower_privileges();
2002
if(ret_errno != 0){
2003
errno = ret_errno;
2004
perror_plus("Failed to lower privileges");
2005
}
2006
}
2007
2008
/* Close the socket */
2009
ret = (int)TEMP_FAILURE_RETRY(close(sd));
2010
if(ret == -1){
2011
perror_plus("close");
2012
}
2013
2014
if(ret_setflags == -1){
2015
errno = ioctl_errno;
2016
perror_plus("ioctl SIOCSIFFLAGS +IFF_UP");
2017
errno = old_errno;
2018
return ioctl_errno;
2019
}
2020
} else if(debug){
2021
fprintf_plus(stderr, "Interface \"%s\" is already up; good\n",
2022
interface);
2023
}
2024
2025
/* Sleep checking until interface is running.
2026
Check every 0.25s, up to total time of delay */
2027
for(int i=0; i < delay * 4; i++){
2028
if(interface_is_running(interface)){
2029
break;
2030
}
2031
struct timespec sleeptime = { .tv_nsec = 250000000 };
2032
ret = nanosleep(&sleeptime, NULL);
2033
if(ret == -1 and errno != EINTR){
2034
perror_plus("nanosleep");
2035
}
2036
}
2037
2038
errno = old_errno;
2039
return 0;
2040
}
2041
2042
__attribute__((nonnull, warn_unused_result))
2043
error_t take_down_interface(const char *const interface){
2044
error_t old_errno = errno;
2045
struct ifreq network;
2046
unsigned int if_index = if_nametoindex(interface);
2047
if(if_index == 0){
2048
fprintf_plus(stderr, "No such interface: \"%s\"\n", interface);
2049
errno = old_errno;
2050
return ENXIO;
2051
}
2052
if(interface_is_up(interface)){
2053
error_t ret_errno = 0, ioctl_errno = 0;
2054
if(not get_flags(interface, &network) and debug){
2055
ret_errno = errno;
2056
fprintf_plus(stderr, "Failed to get flags for interface "
2057
"\"%s\"\n", interface);
2058
errno = old_errno;
2059
return ret_errno;
2060
}
2061
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
2062
2063
int sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);
2064
if(sd == -1){
2065
ret_errno = errno;
2066
perror_plus("socket");
2067
errno = old_errno;
2068
return ret_errno;
2069
}
2070
2071
if(debug){
2072
fprintf_plus(stderr, "Taking down interface \"%s\"\n",
2073
interface);
2074
}
2075
2076
/* Raise privileges */
2077
ret_errno = raise_privileges();
2078
if(ret_errno != 0){
2079
errno = ret_errno;
2080
perror_plus("Failed to raise privileges");
2081
}
2082
2083
int ret_setflags = ioctl(sd, SIOCSIFFLAGS, &network);
2084
ioctl_errno = errno;
2085
2086
/* If raise_privileges() succeeded above */
2087
if(ret_errno == 0){
2088
/* Lower privileges */
2089
ret_errno = lower_privileges();
2090
if(ret_errno != 0){
2091
errno = ret_errno;
2092
perror_plus("Failed to lower privileges");
2093
}
2094
}
2095
2096
/* Close the socket */
2097
int ret = (int)TEMP_FAILURE_RETRY(close(sd));
2098
if(ret == -1){
2099
perror_plus("close");
2100
}
2101
2102
if(ret_setflags == -1){
2103
errno = ioctl_errno;
2104
perror_plus("ioctl SIOCSIFFLAGS -IFF_UP");
2105
errno = old_errno;
2106
return ioctl_errno;
2107
}
2108
} else if(debug){
2109
fprintf_plus(stderr, "Interface \"%s\" is already down; odd\n",
2110
interface);
2111
}
2112
2113
errno = old_errno;
2114
return 0;
2115
}
2116
2117
int main(int argc, char *argv[]){
2118
mandos_context mc = { .server = NULL, .dh_bits = 1024,
2119
.priority = "SECURE256:!CTYPE-X.509:"
2120
"+CTYPE-OPENPGP", .current_server = NULL,
2121
.interfaces = NULL, .interfaces_size = 0 };
2122
AvahiSServiceBrowser *sb = NULL;
2123
error_t ret_errno;
2124
int ret;
2125
intmax_t tmpmax;
2126
char *tmp;
2127
int exitcode = EXIT_SUCCESS;
2128
char *interfaces_to_take_down = NULL;
2129
size_t interfaces_to_take_down_size = 0;
2130
char run_tempdir[] = "/run/tmp/mandosXXXXXX";
2131
char old_tempdir[] = "/tmp/mandosXXXXXX";
2132
char *tempdir = NULL;
2133
AvahiIfIndex if_index = AVAHI_IF_UNSPEC;
2134
const char *seckey = PATHDIR "/" SECKEY;
2135
const char *pubkey = PATHDIR "/" PUBKEY;
2136
char *interfaces_hooks = NULL;
2137
2138
bool gnutls_initialized = false;
2139
bool gpgme_initialized = false;
2140
float delay = 2.5f;
2141
double retry_interval = 10; /* 10s between trying a server and
2142
retrying the same server again */
2143
2144
struct sigaction old_sigterm_action = { .sa_handler = SIG_DFL };
2145
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
2146
2147
uid = getuid();
2148
gid = getgid();
2149
2150
/* Lower any group privileges we might have, just to be safe */
2151
errno = 0;
2152
ret = setgid(gid);
2153
if(ret == -1){
2154
perror_plus("setgid");
2155
}
2156
2157
/* Lower user privileges (temporarily) */
2158
errno = 0;
2159
ret = seteuid(uid);
2160
if(ret == -1){
2161
perror_plus("seteuid");
2162
}
2163
2164
if(quit_now){
2165
goto end;
2166
}
2167
2168
{
2169
struct argp_option options[] = {
2170
{ .name = "debug", .key = 128,
2171
.doc = "Debug mode", .group = 3 },
2172
{ .name = "connect", .key = 'c',
2173
.arg = "ADDRESS:PORT",
2174
.doc = "Connect directly to a specific Mandos server",
2175
.group = 1 },
2176
{ .name = "interface", .key = 'i',
2177
.arg = "NAME",
2178
.doc = "Network interface that will be used to search for"
2179
" Mandos servers",
2180
.group = 1 },
2181
{ .name = "seckey", .key = 's',
2182
.arg = "FILE",
2183
.doc = "OpenPGP secret key file base name",
2184
.group = 1 },
2185
{ .name = "pubkey", .key = 'p',
2186
.arg = "FILE",
2187
.doc = "OpenPGP public key file base name",
2188
.group = 2 },
2189
{ .name = "dh-bits", .key = 129,
2190
.arg = "BITS",
2191
.doc = "Bit length of the prime number used in the"
2192
" Diffie-Hellman key exchange",
2193
.group = 2 },
2194
{ .name = "priority", .key = 130,
2195
.arg = "STRING",
2196
.doc = "GnuTLS priority string for the TLS handshake",
2197
.group = 1 },
2198
{ .name = "delay", .key = 131,
2199
.arg = "SECONDS",
2200
.doc = "Maximum delay to wait for interface startup",
2201
.group = 2 },
2202
{ .name = "retry", .key = 132,
2203
.arg = "SECONDS",
2204
.doc = "Retry interval used when denied by the Mandos server",
2205
.group = 2 },
2206
{ .name = "network-hook-dir", .key = 133,
2207
.arg = "DIR",
2208
.doc = "Directory where network hooks are located",
2209
.group = 2 },
2210
/*
2211
* These reproduce what we would get without ARGP_NO_HELP
2212
*/
2213
{ .name = "help", .key = '?',
2214
.doc = "Give this help list", .group = -1 },
2215
{ .name = "usage", .key = -3,
2216
.doc = "Give a short usage message", .group = -1 },
2217
{ .name = "version", .key = 'V',
2218
.doc = "Print program version", .group = -1 },
2219
{ .name = NULL }
2220
};
2221
2222
error_t parse_opt(int key, char *arg,
2223
struct argp_state *state){
2224
errno = 0;
2225
switch(key){
2226
case 128: /* --debug */
2227
debug = true;
2228
break;
2229
case 'c': /* --connect */
2230
connect_to = arg;
2231
break;
2232
case 'i': /* --interface */
2233
ret_errno = argz_add_sep(&mc.interfaces, &mc.interfaces_size,
2234
arg, (int)',');
2235
if(ret_errno != 0){
2236
argp_error(state, "%s", strerror(ret_errno));
2237
}
2238
break;
2239
case 's': /* --seckey */
2240
seckey = arg;
2241
break;
2242
case 'p': /* --pubkey */
2243
pubkey = arg;
2244
break;
2245
case 129: /* --dh-bits */
2246
errno = 0;
2247
tmpmax = strtoimax(arg, &tmp, 10);
2248
if(errno != 0 or tmp == arg or *tmp != '\0'
2249
or tmpmax != (typeof(mc.dh_bits))tmpmax){
2250
argp_error(state, "Bad number of DH bits");
2251
}
2252
mc.dh_bits = (typeof(mc.dh_bits))tmpmax;
2253
break;
2254
case 130: /* --priority */
2255
mc.priority = arg;
2256
break;
2257
case 131: /* --delay */
2258
errno = 0;
2259
delay = strtof(arg, &tmp);
2260
if(errno != 0 or tmp == arg or *tmp != '\0'){
2261
argp_error(state, "Bad delay");
2262
}
2263
case 132: /* --retry */
2264
errno = 0;
2265
retry_interval = strtod(arg, &tmp);
2266
if(errno != 0 or tmp == arg or *tmp != '\0'
2267
or (retry_interval * 1000) > INT_MAX
2268
or retry_interval < 0){
2269
argp_error(state, "Bad retry interval");
2270
}
2271
break;
2272
case 133: /* --network-hook-dir */
2273
hookdir = arg;
2274
break;
2275
/*
2276
* These reproduce what we would get without ARGP_NO_HELP
2277
*/
2278
case '?': /* --help */
2279
argp_state_help(state, state->out_stream,
2280
(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)
2281
& ~(unsigned int)ARGP_HELP_EXIT_OK);
2282
case -3: /* --usage */
2283
argp_state_help(state, state->out_stream,
2284
ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);
2285
case 'V': /* --version */
2286
fprintf_plus(state->out_stream, "%s\n", argp_program_version);
2287
exit(argp_err_exit_status);
2288
break;
2289
default:
2290
return ARGP_ERR_UNKNOWN;
2291
}
2292
return errno;
2293
}
2294
2295
struct argp argp = { .options = options, .parser = parse_opt,
2296
.args_doc = "",
2297
.doc = "Mandos client -- Get and decrypt"
2298
" passwords from a Mandos server" };
2299
ret = argp_parse(&argp, argc, argv,
2300
ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);
2301
switch(ret){
2302
case 0:
2303
break;
2304
case ENOMEM:
595
2305
default:
596
case AVAHI_BROWSER_FAILURE:
597
598
fprintf(stderr, "(Browser) %s\n",
599
avahi_strerror(avahi_server_errno(server)));
600
avahi_simple_poll_quit(simple_poll);
601
return;
602
603
case AVAHI_BROWSER_NEW:
604
/* We ignore the returned resolver object. In the callback
605
function we free it. If the server is terminated before
606
the callback function is called the server will free
607
the resolver for us. */
608
609
if (!(avahi_s_service_resolver_new(s, interface, protocol, name,
610
type, domain,
611
AVAHI_PROTO_INET6, 0,
612
resolve_callback, s)))
613
fprintf(stderr, "Failed to resolve service '%s': %s\n", name,
614
avahi_strerror(avahi_server_errno(s)));
615
break;
616
617
case AVAHI_BROWSER_REMOVE:
618
break;
619
620
case AVAHI_BROWSER_ALL_FOR_NOW:
621
case AVAHI_BROWSER_CACHE_EXHAUSTED:
622
break;
623
}
624
}
625
626
int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char*argv[]) {
2306
errno = ret;
2307
perror_plus("argp_parse");
2308
exitcode = EX_OSERR;
2309
goto end;
2310
case EINVAL:
2311
exitcode = EX_USAGE;
2312
goto end;
2313
}
2314
}
2315
2316
{
2317
/* Work around Debian bug #633582:
2318
<http://bugs.debian.org/633582> */
2319
2320
/* Re-raise privileges */
2321
ret_errno = raise_privileges();
2322
if(ret_errno != 0){
2323
errno = ret_errno;
2324
perror_plus("Failed to raise privileges");
2325
} else {
2326
struct stat st;
2327
2328
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
2329
int seckey_fd = open(seckey, O_RDONLY);
2330
if(seckey_fd == -1){
2331
perror_plus("open");
2332
} else {
2333
ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
2334
if(ret == -1){
2335
perror_plus("fstat");
2336
} else {
2337
if(S_ISREG(st.st_mode)
2338
and st.st_uid == 0 and st.st_gid == 0){
2339
ret = fchown(seckey_fd, uid, gid);
2340
if(ret == -1){
2341
perror_plus("fchown");
2342
}
2343
}
2344
}
2345
TEMP_FAILURE_RETRY(close(seckey_fd));
2346
}
2347
}
2348
2349
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
2350
int pubkey_fd = open(pubkey, O_RDONLY);
2351
if(pubkey_fd == -1){
2352
perror_plus("open");
2353
} else {
2354
ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
2355
if(ret == -1){
2356
perror_plus("fstat");
2357
} else {
2358
if(S_ISREG(st.st_mode)
2359
and st.st_uid == 0 and st.st_gid == 0){
2360
ret = fchown(pubkey_fd, uid, gid);
2361
if(ret == -1){
2362
perror_plus("fchown");
2363
}
2364
}
2365
}
2366
TEMP_FAILURE_RETRY(close(pubkey_fd));
2367
}
2368
}
2369
2370
/* Lower privileges */
2371
ret_errno = lower_privileges();
2372
if(ret_errno != 0){
2373
errno = ret_errno;
2374
perror_plus("Failed to lower privileges");
2375
}
2376
}
2377
}
2378
2379
/* Remove invalid interface names (except "none") */
2380
{
2381
char *interface = NULL;
2382
while((interface = argz_next(mc.interfaces, mc.interfaces_size,
2383
interface))){
2384
if(strcmp(interface, "none") != 0
2385
and if_nametoindex(interface) == 0){
2386
if(interface[0] != '\0'){
2387
fprintf_plus(stderr, "Not using nonexisting interface"
2388
" \"%s\"\n", interface);
2389
}
2390
argz_delete(&mc.interfaces, &mc.interfaces_size, interface);
2391
interface = NULL;
2392
}
2393
}
2394
}
2395
2396
/* Run network hooks */
2397
{
2398
if(mc.interfaces != NULL){
2399
interfaces_hooks = malloc(mc.interfaces_size);
2400
if(interfaces_hooks == NULL){
2401
perror_plus("malloc");
2402
goto end;
2403
}
2404
memcpy(interfaces_hooks, mc.interfaces, mc.interfaces_size);
2405
argz_stringify(interfaces_hooks, mc.interfaces_size, (int)',');
2406
}
2407
run_network_hooks("start", interfaces_hooks != NULL ?
2408
interfaces_hooks : "", delay);
2409
}
2410
2411
if(not debug){
2412
avahi_set_log_function(empty_log);
2413
}
2414
2415
/* Initialize Avahi early so avahi_simple_poll_quit() can be called
2416
from the signal handler */
2417
/* Initialize the pseudo-RNG for Avahi */
2418
srand((unsigned int) time(NULL));
2419
simple_poll = avahi_simple_poll_new();
2420
if(simple_poll == NULL){
2421
fprintf_plus(stderr,
2422
"Avahi: Failed to create simple poll object.\n");
2423
exitcode = EX_UNAVAILABLE;
2424
goto end;
2425
}
2426
2427
sigemptyset(&sigterm_action.sa_mask);
2428
ret = sigaddset(&sigterm_action.sa_mask, SIGINT);
2429
if(ret == -1){
2430
perror_plus("sigaddset");
2431
exitcode = EX_OSERR;
2432
goto end;
2433
}
2434
ret = sigaddset(&sigterm_action.sa_mask, SIGHUP);
2435
if(ret == -1){
2436
perror_plus("sigaddset");
2437
exitcode = EX_OSERR;
2438
goto end;
2439
}
2440
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
2441
if(ret == -1){
2442
perror_plus("sigaddset");
2443
exitcode = EX_OSERR;
2444
goto end;
2445
}
2446
/* Need to check if the handler is SIG_IGN before handling:
2447
| [[info:libc:Initial Signal Actions]] |
2448
| [[info:libc:Basic Signal Handling]] |
2449
*/
2450
ret = sigaction(SIGINT, NULL, &old_sigterm_action);
2451
if(ret == -1){
2452
perror_plus("sigaction");
2453
return EX_OSERR;
2454
}
2455
if(old_sigterm_action.sa_handler != SIG_IGN){
2456
ret = sigaction(SIGINT, &sigterm_action, NULL);
2457
if(ret == -1){
2458
perror_plus("sigaction");
2459
exitcode = EX_OSERR;
2460
goto end;
2461
}
2462
}
2463
ret = sigaction(SIGHUP, NULL, &old_sigterm_action);
2464
if(ret == -1){
2465
perror_plus("sigaction");
2466
return EX_OSERR;
2467
}
2468
if(old_sigterm_action.sa_handler != SIG_IGN){
2469
ret = sigaction(SIGHUP, &sigterm_action, NULL);
2470
if(ret == -1){
2471
perror_plus("sigaction");
2472
exitcode = EX_OSERR;
2473
goto end;
2474
}
2475
}
2476
ret = sigaction(SIGTERM, NULL, &old_sigterm_action);
2477
if(ret == -1){
2478
perror_plus("sigaction");
2479
return EX_OSERR;
2480
}
2481
if(old_sigterm_action.sa_handler != SIG_IGN){
2482
ret = sigaction(SIGTERM, &sigterm_action, NULL);
2483
if(ret == -1){
2484
perror_plus("sigaction");
2485
exitcode = EX_OSERR;
2486
goto end;
2487
}
2488
}
2489
2490
/* If no interfaces were specified, make a list */
2491
if(mc.interfaces == NULL){
2492
struct dirent **direntries = NULL;
2493
/* Look for any good interfaces */
2494
ret = scandir(sys_class_net, &direntries, good_interface,
2495
alphasort);
2496
if(ret >= 1){
2497
/* Add all found interfaces to interfaces list */
2498
for(int i = 0; i < ret; ++i){
2499
ret_errno = argz_add(&mc.interfaces, &mc.interfaces_size,
2500
direntries[i]->d_name);
2501
if(ret_errno != 0){
2502
errno = ret_errno;
2503
perror_plus("argz_add");
2504
free(direntries[i]);
2505
continue;
2506
}
2507
if(debug){
2508
fprintf_plus(stderr, "Will use interface \"%s\"\n",
2509
direntries[i]->d_name);
2510
}
2511
free(direntries[i]);
2512
}
2513
free(direntries);
2514
} else {
2515
if(ret == 0){
2516
free(direntries);
2517
}
2518
fprintf_plus(stderr, "Could not find a network interface\n");
2519
exitcode = EXIT_FAILURE;
2520
goto end;
2521
}
2522
}
2523
2524
/* Bring up interfaces which are down, and remove any "none"s */
2525
{
2526
char *interface = NULL;
2527
while((interface = argz_next(mc.interfaces, mc.interfaces_size,
2528
interface))){
2529
/* If interface name is "none", stop bringing up interfaces.
2530
Also remove all instances of "none" from the list */
2531
if(strcmp(interface, "none") == 0){
2532
argz_delete(&mc.interfaces, &mc.interfaces_size,
2533
interface);
2534
interface = NULL;
2535
while((interface = argz_next(mc.interfaces,
2536
mc.interfaces_size, interface))){
2537
if(strcmp(interface, "none") == 0){
2538
argz_delete(&mc.interfaces, &mc.interfaces_size,
2539
interface);
2540
interface = NULL;
2541
}
2542
}
2543
break;
2544
}
2545
bool interface_was_up = interface_is_up(interface);
2546
errno = bring_up_interface(interface, delay);
2547
if(not interface_was_up){
2548
if(errno != 0){
2549
perror_plus("Failed to bring up interface");
2550
} else {
2551
errno = argz_add(&interfaces_to_take_down,
2552
&interfaces_to_take_down_size,
2553
interface);
2554
if(errno != 0){
2555
perror_plus("argz_add");
2556
}
2557
}
2558
}
2559
}
2560
if(debug and (interfaces_to_take_down == NULL)){
2561
fprintf_plus(stderr, "No interfaces were brought up\n");
2562
}
2563
}
2564
2565
/* If we only got one interface, explicitly use only that one */
2566
if(argz_count(mc.interfaces, mc.interfaces_size) == 1){
2567
if(debug){
2568
fprintf_plus(stderr, "Using only interface \"%s\"\n",
2569
mc.interfaces);
2570
}
2571
if_index = (AvahiIfIndex)if_nametoindex(mc.interfaces);
2572
}
2573
2574
if(quit_now){
2575
goto end;
2576
}
2577
2578
ret = init_gnutls_global(pubkey, seckey, &mc);
2579
if(ret == -1){
2580
fprintf_plus(stderr, "init_gnutls_global failed\n");
2581
exitcode = EX_UNAVAILABLE;
2582
goto end;
2583
} else {
2584
gnutls_initialized = true;
2585
}
2586
2587
if(quit_now){
2588
goto end;
2589
}
2590
2591
/* Try /run/tmp before /tmp */
2592
tempdir = mkdtemp(run_tempdir);
2593
if(tempdir == NULL and errno == ENOENT){
2594
if(debug){
2595
fprintf_plus(stderr, "Tempdir %s did not work, trying %s\n",
2596
run_tempdir, old_tempdir);
2597
}
2598
tempdir = mkdtemp(old_tempdir);
2599
}
2600
if(tempdir == NULL){
2601
perror_plus("mkdtemp");
2602
goto end;
2603
}
2604
2605
if(quit_now){
2606
goto end;
2607
}
2608
2609
if(not init_gpgme(pubkey, seckey, tempdir, &mc)){
2610
fprintf_plus(stderr, "init_gpgme failed\n");
2611
exitcode = EX_UNAVAILABLE;
2612
goto end;
2613
} else {
2614
gpgme_initialized = true;
2615
}
2616
2617
if(quit_now){
2618
goto end;
2619
}
2620
2621
if(connect_to != NULL){
2622
/* Connect directly, do not use Zeroconf */
2623
/* (Mainly meant for debugging) */
2624
char *address = strrchr(connect_to, ':');
2625
2626
if(address == NULL){
2627
fprintf_plus(stderr, "No colon in address\n");
2628
exitcode = EX_USAGE;
2629
goto end;
2630
}
2631
2632
if(quit_now){
2633
goto end;
2634
}
2635
2636
in_port_t port;
2637
errno = 0;
2638
tmpmax = strtoimax(address+1, &tmp, 10);
2639
if(errno != 0 or tmp == address+1 or *tmp != '\0'
2640
or tmpmax != (in_port_t)tmpmax){
2641
fprintf_plus(stderr, "Bad port number\n");
2642
exitcode = EX_USAGE;
2643
goto end;
2644
}
2645
2646
if(quit_now){
2647
goto end;
2648
}
2649
2650
port = (in_port_t)tmpmax;
2651
*address = '\0';
2652
/* Colon in address indicates IPv6 */
2653
int af;
2654
if(strchr(connect_to, ':') != NULL){
2655
af = AF_INET6;
2656
/* Accept [] around IPv6 address - see RFC 5952 */
2657
if(connect_to[0] == '[' and address[-1] == ']')
2658
{
2659
connect_to++;
2660
address[-1] = '\0';
2661
}
2662
} else {
2663
af = AF_INET;
2664
}
2665
address = connect_to;
2666
2667
if(quit_now){
2668
goto end;
2669
}
2670
2671
while(not quit_now){
2672
ret = start_mandos_communication(address, port, if_index, af,
2673
&mc);
2674
if(quit_now or ret == 0){
2675
break;
2676
}
2677
if(debug){
2678
fprintf_plus(stderr, "Retrying in %d seconds\n",
2679
(int)retry_interval);
2680
}
2681
sleep((unsigned int)retry_interval);
2682
}
2683
2684
if(not quit_now){
2685
exitcode = EXIT_SUCCESS;
2686
}
2687
2688
goto end;
2689
}
2690
2691
if(quit_now){
2692
goto end;
2693
}
2694
2695
{
627
2696
AvahiServerConfig config;
628
AvahiSServiceBrowser *sb = NULL;
629
int error;
630
int ret;
631
int returncode = EXIT_SUCCESS;
632
const char *interface = "eth0";
633
unsigned int if_index;
634
char *connect_to = NULL;
635
636
while (true){
637
static struct option long_options[] = {
638
{"debug", no_argument, (int *)&debug, 1},
639
{"connect", required_argument, 0, 'c'},
640
{"interface", required_argument, 0, 'i'},
641
{0, 0, 0, 0} };
642
643
int option_index = 0;
644
ret = getopt_long (argc, argv, "i:", long_options,
645
&option_index);
646
647
if (ret == -1){
648
break;
649
}
650
651
switch(ret){
652
case 0:
653
break;
654
case 'i':
655
interface = optarg;
656
break;
657
case 'c':
658
connect_to = optarg;
659
break;
660
default:
661
exit(EXIT_FAILURE);
662
}
663
}
664
665
if_index = if_nametoindex(interface);
666
if(if_index == 0){
667
fprintf(stderr, "No such interface: \"%s\"\n", interface);
668
exit(EXIT_FAILURE);
669
}
670
671
if(connect_to != NULL){
672
/* Connect directly, do not use Zeroconf */
673
/* (Mainly meant for debugging) */
674
char *address = strrchr(connect_to, ':');
675
if(address == NULL){
676
fprintf(stderr, "No colon in address\n");
677
exit(EXIT_FAILURE);
678
}
679
errno = 0;
680
uint16_t port = (uint16_t) strtol(address+1, NULL, 10);
681
if(errno){
682
perror("Bad port number");
683
exit(EXIT_FAILURE);
684
}
685
*address = '\0';
686
address = connect_to;
687
ret = start_mandos_communication(address, port, if_index);
688
if(ret < 0){
689
exit(EXIT_FAILURE);
690
} else {
691
exit(EXIT_SUCCESS);
692
}
693
}
694
695
if (not debug){
696
avahi_set_log_function(empty_log);
697
}
698
699
/* Initialize the psuedo-RNG */
700
srand((unsigned int) time(NULL));
701
702
/* Allocate main loop object */
703
if (!(simple_poll = avahi_simple_poll_new())) {
704
fprintf(stderr, "Failed to create simple poll object.\n");
705
706
goto exit;
707
}
708
709
/* Do not publish any local records */
2697
/* Do not publish any local Zeroconf records */
710
2698
avahi_server_config_init(&config);
711
2699
config.publish_hinfo = 0;
712
2700
config.publish_addresses = 0;
713
2701
config.publish_workstation = 0;
714
2702
config.publish_domain = 0;
715
2703
716
2704
/* Allocate a new server */
717
server = avahi_server_new(avahi_simple_poll_get(simple_poll),
718
&config, NULL, NULL, &error);
719
720
/* Free the configuration data */
2705
mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),
2706
&config, NULL, NULL, &ret_errno);
2707
2708
/* Free the Avahi configuration data */
721
2709
avahi_server_config_free(&config);
722
723
/* Check if creating the server object succeeded */
724
if (!server) {
725
fprintf(stderr, "Failed to create server: %s\n",
726
avahi_strerror(error));
727
returncode = EXIT_FAILURE;
728
goto exit;
729
}
730
731
/* Create the service browser */
732
sb = avahi_s_service_browser_new(server, (AvahiIfIndex)if_index,
733
AVAHI_PROTO_INET6,
734
"_mandos._tcp", NULL, 0,
735
browse_callback, server);
736
if (!sb) {
737
fprintf(stderr, "Failed to create service browser: %s\n",
738
avahi_strerror(avahi_server_errno(server)));
739
returncode = EXIT_FAILURE;
740
goto exit;
741
}
742
743
/* Run the main loop */
744
745
if (debug){
746
fprintf(stderr, "Starting avahi loop search\n");
747
}
748
749
avahi_simple_poll_loop(simple_poll);
750
751
exit:
752
753
if (debug){
754
fprintf(stderr, "%s exiting\n", argv[0]);
755
}
756
757
/* Cleanup things */
758
if (sb)
759
avahi_s_service_browser_free(sb);
760
761
if (server)
762
avahi_server_free(server);
763
764
if (simple_poll)
765
avahi_simple_poll_free(simple_poll);
766
767
return returncode;
2710
}
2711
2712
/* Check if creating the Avahi server object succeeded */
2713
if(mc.server == NULL){
2714
fprintf_plus(stderr, "Failed to create Avahi server: %s\n",
2715
avahi_strerror(ret_errno));
2716
exitcode = EX_UNAVAILABLE;
2717
goto end;
2718
}
2719
2720
if(quit_now){
2721
goto end;
2722
}
2723
2724
/* Create the Avahi service browser */
2725
sb = avahi_s_service_browser_new(mc.server, if_index,
2726
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
2727
NULL, 0, browse_callback,
2728
(void *)&mc);
2729
if(sb == NULL){
2730
fprintf_plus(stderr, "Failed to create service browser: %s\n",
2731
avahi_strerror(avahi_server_errno(mc.server)));
2732
exitcode = EX_UNAVAILABLE;
2733
goto end;
2734
}
2735
2736
if(quit_now){
2737
goto end;
2738
}
2739
2740
/* Run the main loop */
2741
2742
if(debug){
2743
fprintf_plus(stderr, "Starting Avahi loop search\n");
2744
}
2745
2746
ret = avahi_loop_with_timeout(simple_poll,
2747
(int)(retry_interval * 1000), &mc);
2748
if(debug){
2749
fprintf_plus(stderr, "avahi_loop_with_timeout exited %s\n",
2750
(ret == 0) ? "successfully" : "with error");
2751
}
2752
2753
end:
2754
2755
if(debug){
2756
fprintf_plus(stderr, "%s exiting\n", argv[0]);
2757
}
2758
2759
/* Cleanup things */
2760
free(mc.interfaces);
2761
2762
if(sb != NULL)
2763
avahi_s_service_browser_free(sb);
2764
2765
if(mc.server != NULL)
2766
avahi_server_free(mc.server);
2767
2768
if(simple_poll != NULL)
2769
avahi_simple_poll_free(simple_poll);
2770
2771
if(gnutls_initialized){
2772
gnutls_certificate_free_credentials(mc.cred);
2773
gnutls_global_deinit();
2774
gnutls_dh_params_deinit(mc.dh_params);
2775
}
2776
2777
if(gpgme_initialized){
2778
gpgme_release(mc.ctx);
2779
}
2780
2781
/* Cleans up the circular linked list of Mandos servers the client
2782
has seen */
2783
if(mc.current_server != NULL){
2784
mc.current_server->prev->next = NULL;
2785
while(mc.current_server != NULL){
2786
server *next = mc.current_server->next;
2787
#ifdef __GNUC__
2788
#pragma GCC diagnostic push
2789
#pragma GCC diagnostic ignored "-Wcast-qual"
2790
#endif
2791
free((char *)(mc.current_server->ip));
2792
#ifdef __GNUC__
2793
#pragma GCC diagnostic pop
2794
#endif
2795
free(mc.current_server);
2796
mc.current_server = next;
2797
}
2798
}
2799
2800
/* Re-raise privileges */
2801
{
2802
ret_errno = raise_privileges();
2803
if(ret_errno != 0){
2804
errno = ret_errno;
2805
perror_plus("Failed to raise privileges");
2806
} else {
2807
2808
/* Run network hooks */
2809
run_network_hooks("stop", interfaces_hooks != NULL ?
2810
interfaces_hooks : "", delay);
2811
2812
/* Take down the network interfaces which were brought up */
2813
{
2814
char *interface = NULL;
2815
while((interface=argz_next(interfaces_to_take_down,
2816
interfaces_to_take_down_size,
2817
interface))){
2818
ret_errno = take_down_interface(interface);
2819
if(ret_errno != 0){
2820
errno = ret_errno;
2821
perror_plus("Failed to take down interface");
2822
}
2823
}
2824
if(debug and (interfaces_to_take_down == NULL)){
2825
fprintf_plus(stderr, "No interfaces needed to be taken"
2826
" down\n");
2827
}
2828
}
2829
}
2830
2831
ret_errno = lower_privileges_permanently();
2832
if(ret_errno != 0){
2833
errno = ret_errno;
2834
perror_plus("Failed to lower privileges permanently");
2835
}
2836
}
2837
2838
free(interfaces_to_take_down);
2839
free(interfaces_hooks);
2840
2841
/* Removes the GPGME temp directory and all files inside */
2842
if(tempdir != NULL){
2843
struct dirent **direntries = NULL;
2844
int tempdir_fd = (int)TEMP_FAILURE_RETRY(open(tempdir, O_RDONLY
2845
| O_NOFOLLOW
2846
| O_DIRECTORY
2847
| O_PATH));
2848
if(tempdir_fd == -1){
2849
perror_plus("open");
2850
} else {
2851
#ifdef __GLIBC__
2852
#if __GLIBC_PREREQ(2, 15)
2853
int numentries = scandirat(tempdir_fd, ".", &direntries,
2854
notdotentries, alphasort);
2855
#else /* not __GLIBC_PREREQ(2, 15) */
2856
int numentries = scandir(tempdir, &direntries, notdotentries,
2857
alphasort);
2858
#endif /* not __GLIBC_PREREQ(2, 15) */
2859
#else /* not __GLIBC__ */
2860
int numentries = scandir(tempdir, &direntries, notdotentries,
2861
alphasort);
2862
#endif /* not __GLIBC__ */
2863
if(numentries >= 0){
2864
for(int i = 0; i < numentries; i++){
2865
ret = unlinkat(tempdir_fd, direntries[i]->d_name, 0);
2866
if(ret == -1){
2867
fprintf_plus(stderr, "unlinkat(open(\"%s\", O_RDONLY),"
2868
" \"%s\", 0): %s\n", tempdir,
2869
direntries[i]->d_name, strerror(errno));
2870
}
2871
free(direntries[i]);
2872
}
2873
2874
/* need to clean even if 0 because man page doesn't specify */
2875
free(direntries);
2876
if(numentries == -1){
2877
perror_plus("scandir");
2878
}
2879
ret = rmdir(tempdir);
2880
if(ret == -1 and errno != ENOENT){
2881
perror_plus("rmdir");
2882
}
2883
}
2884
TEMP_FAILURE_RETRY(close(tempdir_fd));
2885
}
2886
}
2887
2888
if(quit_now){
2889
sigemptyset(&old_sigterm_action.sa_mask);
2890
old_sigterm_action.sa_handler = SIG_DFL;
2891
ret = (int)TEMP_FAILURE_RETRY(sigaction(signal_received,
2892
&old_sigterm_action,
2893
NULL));
2894
if(ret == -1){
2895
perror_plus("sigaction");
2896
}
2897
do {
2898
ret = raise(signal_received);
2899
} while(ret != 0 and errno == EINTR);
2900
if(ret != 0){
2901
perror_plus("raise");
2902
abort();
2903
}
2904
TEMP_FAILURE_RETRY(pause());
2905
}
2906
2907
return exitcode;
768
2908
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0